Analyses of released password lists have shown that many people not only use the same or similar passwords across web applications, but they also try to get around numerical and special character requirements by tacking on a “1” or “exclamation point” before and/or after their memorized passphrase (i.e., Yankees#1fan or Abc123!). Additionally, hackers can create, purchase and sell databases pre-loaded with these common passphrases to help streamline a dictionary attack.
There are a few ways in which a dictionary attack is conducted depending on the time and resources of the hacker, as well as the structure of the resource they are attempting to access. In one scenario, the hacker already has a list of usernames and can run hundreds of password guesses for each in a matter of seconds. This approach allows the hacker to avoid the possibility of immediate detection, because instead of server logs showing that one user tried to log in multiple times and was not successful, it will appear as though many users just put in the wrong password over a period of time.
While it may seem counter-intuitive, the common practice of locking users out after a predetermined number of incorrect attempts can actually be a liability when combating a dictionary attack (or bruteforce attacks, in general). For example, if it only takes three (3) incorrect log-in attempts to lock out and qualify a user for account review by an administrator, the system is, in a sense, susceptible to a denial of service attack. A clever hacker could run a two-pronged strike where he tries to crack passwords, and at the same time disables many of a company’s users, denying them service and thereby severely impacting business and commerce operations.
To efficiently protect your resources against dictionary attacks, it is recommended that a “staggered” series of log-in attempts is permitted. In practice this might mean that after the second incorrect log-in attempt, there is a 4 second delay before authentication is enabled again. If authentication fails a third time, there is an 8 second delay; after the fourth there is 16 seconds; and so on. As you might imagine, this approach would slow down the rate of a possible dictionary attack if automated scripts and software could be thwarted by increasing time intervals.
One type of dictionary attack which has a proven and likely chance of succeeding makes use of a personalized dictionary. If a hacker knows an individual’s personal information—i.e., their name or the names of their spouse and/or children; birthdays and important dates; names of pets and favorite foods; or schools attended and favorite sports teams—then a personalized dictionary can be created to increase the likelihood of accessing the victims’s accounts. With the explosion of social media, retrieving this kind of personal information is easy and could prove beneficial.
See Also: RAINBOW TABLES