Most people are aware of good online security habits. However, they often fail to use them to their fullest extent, leaving them susceptible to dictionary attacks. Despite knowing that they should protect their online accounts, many people fail to follow simple guidelines like creating strong passwords. In fact, a Google study found that an estimated 65% of people reuse passwords across multiple accounts. Additionally, 59% use personal details in their passwords that are easy to guess or discover, such as pet names and birthdates.
In addition, people often use simple, obvious passwords which are very easy to crack. Studies have shown that keyboard runs like “123456” and “qwerty”, and phrases like “Password”, “iloveyou”, and “Welcome” are among the most commonly used and regularly appear in data breach leaks.
The implication, then, is that these attacks are very common—and very successful—simply because people do not take dictionary attack prevention seriously.
In its simplest form, a dictionary attack is a type of brute force attack where hackers try to guess a user’s password to their online accounts by quickly running through a list of commonly used words, phrases, and number combinations. When a dictionary attack has successfully cracked a password, the hacker can then use this to gain access to things like bank accounts, social media profiles, and even password-protected files. This is when it can become a real problem for the attacker’s victim.
This type of hacking uses a systemic approach to cracking passwords. There are essentially three steps to successfully carrying out these hacks and understanding them can be helpful in learning how to prevent a dictionary attack.
To compile the list of potential passwords, the attacker will often use common pet names, recognisable pop-culture characters, or major sports teams and athletes, for example. This is because many people use these types of words to create passwords that have meaning to them and that they can easily remember. The list will normally include variations of these, such as different combinations of words, or the addition of special characters.
Running this list with automated tools also makes it easier for dictionary attacks to be successful. Using a password list and automated tool in tandem makes it far quicker to attempt to crack a password and hack into an online account. If this were to be done manually the attack would take too long and gives the account owner—or system administrator—time to notice and implement a defence against the attack.
Because of the way they work, these dictionary attacks often do not have an individual target. Instead, they are carried out in the hopes that one of the passwords on the list will be correct. However, if the attacker is targeting a particular place or organization, they will create a more focused and localised list of words. For example, if they plan to carry out the attack in Spain, they might use common Spanish words instead of English. Or, if they are targeting a particular organisation, they might use words associated with that company.
Even though dictionary hacking is a type of brute force attack, there is an important difference between the two. While dictionary attacks use a preset list of words to systematically try and crack account passwords, brute force hacks do not use a list and instead, run through every random combination of letters, symbols, and numbers that might be used to create a password. As such, dictionary attacks are usually more efficient—and have a higher chance of success—simply because they have far fewer combinations to try.
With 26 letters of the alphabet and 10 single-digit numbers—a total of 36 characters—the sheer number of possible combinations a brute force attack must run through in order to succeed is almost impractical. For context, for a brute force attack to hack a 10-character password, there would be 3.76 quadrillion potential alphanumerical passwords to run through.
The advantage of brute force attacks, though, is that they are more likely to be able to crack difficult and unique passwords with their trial-and-error approach. Because they run through such a comprehensive list of possible passwords, there is a higher probability that these attacks will eventually be able to find the right combination of characters of any given password.
Understanding what a dictionary attack is and how they work is one step towards preventing their occurrence. But for those who are serious about dictionary attack prevention, these tips can help:
Password managers can be a useful way to manage your account credentials securely and minimise the likelihood of falling victim to dictionary hacking. Apps like Kaspersky Password Manager offer an array of benefits that can help keep passwords secure. Here are some reasons to consider using one:
Dictionary hacking is a very common type of cybercrime that hackers use to gain access to an individual’s personal accounts, including bank accounts, social media profiles, and emails. With this access, hackers can perpetrate all sorts of actions, from financial fraud and malicious social media posts to further cybercrimes like phishing. However, dictionary attack prevention can be as simple as implementing certain safeguards to minimise the risk of falling victim to these attacks. Using smart password management habits, employing different types of authentications, and using readily available password managers, for example, can all help keep passwords and accounts secure.
Kaspersky Endpoint Security received three AV-TEST awards for the best performance, protection, and usability for a corporate endpoint security product in 2021. In all tests, Kaspersky Endpoint Security showed outstanding performance, protection, and usability for businesses.
Related Articles and Links:
Related Products and Services: