search
Where Thought Leaders go for Growth
Reference a solution

Dictionary attack: what if a password dictionary was the solution?

Dictionary attack: what if a password dictionary was the solution?

By Jennifer Montérémal

Published: October 29, 2024

Did you know that there are password dictionaries freely available on the Internet?

While the news may seem frightening at first, since it means that hackers can make use of them, you should know that companies can also benefit from them!

But how?

In this article, we take a closer look at the concept of password lists, and explain how you can use them to protect yourself against dictionary attacks. We'll also give you a few tips on how you can further ensure the security of the passwords deployed within your organization.

What is a password dictionary?

Definition of a password dictionary

A password dictionary, also known as a password list, compiles a set of passwords, usually hacked or obtained through security breaches.

These dictionaries are doubly useful.

Firstly, they are useful to hackers using dictionary attacks. Indeed, following account hacks, such as the one carried out on LinkedIn in 2012 (which saw the information of 100 million users stolen), hackers often make the data obtained available on the Internet, notably by selling it on the dark web.

But the good news is that the contents of these password lists also benefit individuals and companies: thanks to them, they are able to check whether their passwords are included.

For example, CIOs and security managers can use them to simulate dictionary attacks, and thus check the vulnerability of passwords used by employees. In fact, NIST, the American equivalent of ANSSI, includes this type of verification in its recommendations.

Dictionary attacks

To better understand how password lists can help you, let's take a look at the concept of dictionary attacks.

Dictionary attacks are among the most widespread cyberattacks, along with brute-force attacks and phishing attempts.

They involve testing a series of potential words, one after the other, using a given dictionary, until the right one is found.

To do this, hackers use :

  • previously disclosed password lists,
  • terms contained in the most common dictionaries,
  • variations :
    • frequently used character combinations (abc123),
    • passwords modified using leet speak, a method of using characters that are visually close to the initial characters ("MOTDEPASSE" becomes "M07D3P4553"),
    • repetitions (passwordpassword),
    • words that include the name of the target organization or a similar denomination, etc.
  • other types of lists, such as :
    • dates of birth or famous events,
    • surnames,
    • license plates, etc.

☝️ If this type of attack works, it's because many Internet users remain careless and continue to use common terms or character strings to construct their passwords, in particular :

  • proper nouns (first name, town, country, etc.),
  • common nouns (animal, adjective, etc.),
  • logical number sequences (123 456), etc.

Where can I download password dictionaries?

Are you a CIO looking for access to those famous password dictionaries to test your company's security?

There are lots of them out there, so let's take a look at the main ones.

The CrackStation password dictionary

The CrackStation password list was published by the famous hacker Stun... and contains no less than 1,493,677,782 words!

This free password dictionary, available as a torrent, is so comprehensive that it has been compiled from a variety of sources:

  • dictionary hits,
  • lists of passwords from recent hacks, found on the Internet,
  • terms from Wikipedia databases (in all languages),
  • words from books in Project Gutenberg, an electronic library of mainly public domain works.

Project Richelieu

The Richelieu project has produced a free password dictionary, distributed on GitHub under a Creative Commons Attribution license.

It provides a list of the 20,000 most frequently used French passwords in recent years, derived from data leaks and associated with e-mail addresses with a ".fr" domain name.

The Kali Linux password dictionary

Kali Linux is an open source solution that brings together a number of tools for computer security, including penetration testing.

Among them we find Crunch, enabling the generation of password dictionaries in order to operate dictionary attack tests.

💡 Also note that with the Kali Linux environment, it is possible to access Hydra, a password cracking tool helping to simulate dictionary attacks, but also brute force attacks.

Specops Password Policy software

Specops Password Policy software helps Active Directory organizations manage their password policies.

To enable organizations to protect themselves against dictionary attacks, the solution includes a password filtering system based on a dictionary containing several billion entities from major attacks:

  • the Collection #1-5 leak,
  • the Have I Been Pwned list compiled by security expert Troy Hunt, etc.

In this way, if an employee chooses a password from this list, the software warns him or her to change to a more secure option.

Our tips for protection against dictionary attacks

Beyond the use of password lists, good protection against dictionary attacks requires the adoption of basic security behaviors, such as those recommended by ANSSI.

Adopting good password practices

First and foremost, you need to increase the complexity of your passwords, in order to protect yourself totally against dictionary attacks and strongly against brute-force attacks.

The ideal password is composed as follows:

  • between 8 and 12 characters (more if possible),
  • include a combination of special characters, upper case letters, lower case letters and numbers.

And of course, as you've already guessed, it can't refer to anything that already exists.This is the case with words in the dictionary, or "logical" sequences such as dates of famous events.

Finally, there are a number of other good practices to be observed:

  • renew your password regularly (every 90 days, according to ANSSI),
  • do not use the same password for several accounts,
  • limit the number of authorized login attempts, to three for example.

Salt your passwords

Passwords are often stored in hashed form, so that they are not stored in clear text in applications.

The problem is that hackers have dictionaries, known as rainbow tables, capable of bypassing this system.

This is where password salting comes into play: it adds a random bit sequence to the password used, making the use of rainbow tables more complex.

Using a password manager

Let's face it, it's often difficult to generate memorable passwords that are both complex and unique.

That's why we recommend using a password manager. With this type of software, all you need to do is memorize a master password to log in to your various accounts with complete security.

By now you're familiar with the usefulness of password dictionaries. Now it's up to you to make good use of them and observe all the basic IT security rules to protect your company as effectively as possible from cyber-attacks.

Article translated from French