Understanding Dictionary Attacks

All is quiet in the library. As sleepy hours of research linger on, suddenly, out of nowhere, a rabid librarian appears. With a blood curdling scream, wielding a large dictionary, she bears down on you like a speeding bullet. In the moments that follow you try to beat a retreat but not before she lands a blow to your forehead. Your final moments of consciousness are spent trying to make sense of her hysteria around some spelling error.

Fortunately, waking up is a great cure for nightmares. Unfortunately, another nightmare is busy unfolding in cyber-space, one which will eventually see you being ripped off unless you “catch a wake up”. Most people protect their sensitive data by using passwords. The next few paragraphs will hopefully give you a sense of how easily those passwords are cracked and how you can better protect yourself.

Et tu, Brute?

A dictionary attack is a method of breaking into a password-protected computer or document by systematically entering every word in a dictionary as a password. Mostly these words will also include derivatives where letters have been replaced with special characters. In addition to a basic word, such as sanctimonious, the attack will include various other combinations such as Sanctimonious, s@nct!m0n!0#s, S@nct!m0n!0#s, sanctim0n!0#s and so on. As you can see, a fifty thousand word dictionary can very quickly become a million word dictionary.

Instead of S@nct!m0n!0#s, a more diligent user would try a password like 67(!@90$%ism). It is unlikely that an ordinary dictionary attack would be able to crack a password like that. For that kind of password a hacker would have to resort to what is known as brute-force attack. A brute-force attack is one in which every possible combination of letters, numbers, special characters and spaces are tried up to a certain maximum length. The problem with these attacks is that they are very time-consuming.

In order to reduce the attack time from years down to minutes, it would be necessary to somehow reduce trillions of combinations down to less than a million. To achieve this, several academics have studied the psychology around how people choose their passwords. Their work has been turned into optimised dictionaries which are available for purchase on the internet. But these are not the only tools available to hackers. With a minimal amount of skill a hacker could use freely available tools such as Brutus, Ophcrack and John the Ripper to perform brute force and dictionary attacks.

Some good news

There are a number of simple things that you can do which will change the odds of becoming a victim. The first thing to remember is that hacking tools generally don’t do well with passwords longer than 16 characters. Your password could even be a phrase with two parts. You don’t need to remember the first part. You could even write it on your computer. For example: “My adorable new puppy’s name is…” Although you need to commit the second part to memory, it can be an easier word like “guitar”, “voetsek” or “table”. So your password would be “My adorable new puppy’s name is guitar”.

Never use the same password in more than one place. A hacker might not attack your bank account directly because he would be kicked out after three tries. His strategy would be to attack a less secure target, such as your logon to your local choir club’s website, and to use that password to attack your bank account.

Change all your passwords frequently and avoid reusing old passwords. Having harvested many people’s personal details, hackers often wholesale this information to specialist fraudsters. This means you may have a few weeks grace from the time you are hacked to the time you become a statistic.

And finally

Even the most secure networks can be compromised. It would be wise to come to terms with the fact that, no matter how good your IT guys are, sooner or later you are going to suffer a breach. To that end, I recommend prayer and cyber insurance.

Author: John Stebbing