search
Where Thought Leaders go for Growth
Reference a solution

Dictionary attack: what if a password dictionary was the solution?

Dictionary attack: what if a password dictionary was the solution?

By Jennifer Montérémal

Published: 29 October 2024

Did you know that there are password dictionaries freely available on the Internet?

While this may seem frightening at first sight, as it means that hackers can use them, there are also benefits for businesses!

How can they do this?

In this article, we take a closer look at the concept of password lists, and explain how you can use them to protect yourself against dictionary attacks. We'll also give you a few tips on how to make the passwords you use within your organisation even more secure.

What is a password dictionary?

Definition of a password dictionary

A password dictionary, also known as a password list, compiles a set of passwords, usually hacked or from security breaches.

These dictionaries serve two purposes.

Firstly, they are useful to hackers using dictionary attacks. Following account hacks, such as the one carried out on LinkedIn in 2012 (which saw the information of 100 million users stolen), hackers often make the data obtained available on the Internet, in particular by selling it on the dark web.

But the good news is that the contents of these password lists are also of benefit to individuals and businesses: thanks to them, they are able to check whether their passwords are included.

For example, CIOs and security managers in organisations can use them to simulate dictionary attacks, thereby checking the vulnerability of the passwords used by their staff. In fact, NIST, the American equivalent of ANSSI, includes this type of verification in its recommendations.

Dictionary attacks

To better understand how password lists can help you, we need to look at the concept of dictionary attacks.

Dictionary attacks are one of the most common cyber attacks, along with brute force attacks and phishing attempts.

They consist of testing a series of potential words, one after the other, using a given dictionary, until the right one is found.

To do this, hackers use :

  • lists of passwords that have already been disclosed,
  • terms contained in the most common dictionaries,
  • variations :
    • frequently used combinations of characters (abc123),
    • passwords modified using leet speak, a method consisting of using characters that are visually close to the initial characters ("MOTDEPASSE" becomes "M07D3P4553"),
    • repetitions (passwordpassword),
    • words including the name of the target organisation or a similar designation, etc.
  • other types of lists such as :
    • dates of birth or dates of famous events,
    • surnames,
    • number plates, etc.

☝️ If this type of attack works, it's because many Internet users remain careless and continue to use common terms or character strings to construct their passwords, in particular :

  • proper nouns (first name, town, country, etc.),
  • common nouns (animal, adjective, etc.),
  • logical sequences of numbers (123 456), etc.

Where can I download password dictionaries?

Are you a CIO looking for access to those famous password dictionaries to test your company's security?

There are lots of them out there, so let's take a look at the main ones.

The CrackStation password dictionary

The CrackStation password list was published by the famous hacker Stun... and it contains no less than 1,493,677,782 words!

The reason this free password dictionary available as a torrent is so comprehensive is that it has been compiled from a variety of sources:

  • hits from the dictionary
  • lists of passwords from recent hacks, found on the Internet,
  • terms from Wikipedia databases (in all languages),
  • words from books in Project Gutenberg, an electronic library of mainly public domain works.

Project Richelieu

The Richelieu project has produced a free password dictionary, distributed on GitHub under a Creative Commons Attribution licence.

It provides a list of the 20,000 most frequently used French passwords in recent years, derived from data leaks and associated with email addresses with a ".fr" domain name.

The Kali Linux password dictionary

Kali Linux is an open source solution that brings together a number of tools relating to IT security, used in particular to carry out penetration tests.

Among them we find Crunch, allowing the generation of password dictionaries in order to operate dictionary attack tests.

💡 Note also that with the Kali Linux environment, it is possible to access Hydra, a password cracking tool that helps simulate dictionary attacks, as well as brute force attacks.

Specops Password Policy software

Specops Password Policy software helps companies using Active Directory to manage their password policy.

To enable organisations to protect themselves against dictionary attacks, the solution includes a password filtering system based on a dictionary containing several billion entities from major attacks:

  • the Collection #1-5 leak
  • the Have I Been Pwned list compiled by security expert Troy Hunt, etc.

This way, if an employee chooses a password from this list, the software warns them to change to a more secure option.

Our advice on protecting against dictionary attacks

As well as using password lists, good protection against dictionary attacks involves adopting basic security behaviours, such as those recommended by ANSSI.

Adopting good password practices

First and foremost, you need to make your passwords more complex, so that you are completely protected against dictionary attacks and strongly protected against brute force attacks.

The ideal password is made up as follows:

  • be between 8 and 12 characters long (more if possible),
  • contain a combination of special characters, upper case letters, lower case letters and numbers.

And of course, as you will have realised, it must not refer to anything that already exists, such as a word in the dictionary or a word in a web site.Like words in the dictionary or "logical" sequences such as dates of famous events.

Finally, other good practices should be observed:

  • renew your password regularly (every 90 days, according to ANSSI),
  • do not use the same password for several accounts,
  • limit the number of authorised login attempts, to three for example.

Salting passwords

In order not to store passwords in clear text in applications, they are often stored in hashed form .

The problem is that hackers have dictionaries, known as rainbow tables, that can bypass this system.

This is where password salting comes in: it adds a random bit sequence to the password used, which makes it more difficult to use rainbow tables.

Using a password manager

Let's face it, it's often difficult to generate memorable passwords that are both complex and unique.

That's why we recommend using a password manager. With this type of software, all you need to do is memorise a master password to log on to your various accounts in total security.

You now know the usefulness of password dictionaries. Now it's up to you to make good use of them and observe all the basic IT security rules to protect your company as effectively as possible from cyber attacks.

Article translated from French