Dictionary Attacks
A dictionary attack is a methodology of password cracking that involves entering “words from a rundown as passwords to access a system, account, or encrypted document.” (Ohri, 2021) While a dictionary attack does not technically have to be used nefariously, as it can be used to gain access to your own system if you cannot get your password, it is commonly used to gain unauthorized access to a system which is, of course, unethical. In these situations there is the person attempting the attack, called the attacker, and the person whose machine or credentials the attack is being leveraged against, or the victim. These attacks can be done offline, in which the speed at which one can attack a system depends on the processing power of the attacker’s machine, or online, in which the speed depends on either the processing power of the attacker’s machine, or the limit of how often one can attempt to input a password on the victim machine. The determinant speed will be whichever is slower.
The maximum number of attempts an attacker may have to make is simply the length of the dictionary. The maximum possible time an attack may take is the length of the dictionary divided by the number of attempts that can be made over a given time period.
Brute Force Attacks
While a dictionary attack is indeed a type of brute force attack, a brute force attack is not necessarily a dictionary attack. What I mean by this is, a brute force attack is a methodology of password cracking in which an attacker tries different combinations of characters to attempt guessing a password or hash. A pure brute force attack uses “every possible combination of numbers [and] alphabets to guess the passwords.” (Tweak Library Team, 2020) A dictionary attack doesn’t use every possible combination of characters, but instead focuses the chosen passwords to a list of likely words or phrases.
To give an example of a pure brute force attack, let’s imagine there is a three character passphrase that is composed only of numerical values. Let’s imagine the passphrase is 723. A brute force attack would start with trying 000, then 001, then 002, all the way up to 723. You can find the maximum possible number of attempts it will take to perform a brute force attack by taking the total number of possible characters (in this case it is the digits 0-9, for a total of ten possible characters) and raise that number to the power of x, where x is the number of places these characters can be tried. In this case there are three places, for a total of 103 = 1,000 possible combinations. You can find the maximum possible time by dividing this value by the number of attempts an attacker can make during a given time value, then multiplying by said time value. If, in our previous example, the attacker can make 5 attempts every minute, then the longest amount of time it can possibly take to find a password is 1000 * 1 minute/5 = 200 minutes. Given the exponential nature of how many possible combinations one may have to try when running a brute force attack, it should usually be a last resort. While the algorithm an attacker runs can be fine tuned to a specific password requirement, (in our example, we didn’t need to try any alphabet characters because the password only took numerical characters) this exponential nature can cause brute force attacks to take quite a long time to find a password. The upside is that, in theory, a brute force attack can find any password, so long as there are no limits to the number of attempts an attacker can make on the victim machine.
Dictionary Attack Procedure
Before launching a dictionary attack, an attacker will want to organize their dictionary. To begin with, an attacker should look into the infrastructure of the machine or software they will be attacking. What an attacker should be looking for are password requirements and constraints. Any password requirements and constraints can help define what should be included or not included in the dictionary. For example, if a password is required to be five-characters long, and constrained to only alphanumeric characters, the attack should make sure the dictionary includes any password of five or greater characters and those passwords that contain alphanumeric characters while also removing any password with less than five characters and passwords made up of only symbols or those made up of both symbols and alphanumerics. This is to tailor the password dictionary as finely as possible, to reduce our maximum possible time to attack.
The next step before launching the attack is to put the most likely passwords up top. If your dictionary runs from top to bottom, then by placing the most likely passwords at the top, you are more likely to have a faster total time of attack.
Once the attack begins, the program should grab a password from the attacker’s dictionary and attempt to use it on the victim’s machine. If the passwords are hashed on the victim’s machine, then the attacker should hash the dictionary value before attempting it. In an example infrastructure that hashes a password three times, the attacker will take their dictionary value, iteratively hash it three times using the same hash algorithm, then see if the password matches the one stored on the machine.
Considerations
Once you begin your attack, all an attacker can do is wait. The program should systematically go through the dictionary and attempt each password. A check may want to be programmed to only try a certain number of passwords every minute or hour to both avoid obvious detection by a security team or program, and to keep the system from locking up. Additionally, if performing an online attack, the attacker should try to sync up their attack speed with the speed in which a website or system can process an attempted login. If your algorithm doesn’t wait for a password to be successfully attempted in an online machine, your program may think it is attempting passwords when it is really only trying one password every few seconds and skips all the inbetween ones. For example, if a system can only attempt one login every minute, if your program runs one password every second and doesn’t check to make sure that login attempt has finished, then it will only try one out of every sixty passwords.
If a victim's machines use salting or hashing, then the attacker must account for this. Using multiple hashing algorithms can mean having to hash the dictionary value multiple times before seeing if it is included in a list of passwords. If passwords are salted, then an attacker must try all dictionary words for each salt value. This can increase the amount of time it takes to fully attempt each dictionary value.
References
Dictionary attack: A beginner's guide in 5 easy points. Jigsaw Academy. (2021, January 4). Retrieved April 3, 2022, from https://www.jigsawacademy.com/blogs/cyber-security/dictionary-attack/
Tweak Library Team. (2020, August 26). Difference between brute force & dictionary attack. Tweak Library. Retrieved April 3, 2022, from https://tweaklibrary.com/difference-between-brute-force-dictionary-attack/