An attack based on lists and persistence.
One of the terms that comes up frequently in discussions about security and particularly password security is dictionary attack.
On the surface, it’s very simple, but it has implications on more than just passwords and more than just signing in.
It even applies to spam.
Become a Patron of Ask Leo! and go ad-free!
Dictionary attacks try everything in a pre-defined list of words, discovered passwords, or more. It can be a quick attack against an offline copy of a stolen password database, or a slow persistent attack against some user interface. Dictionary attacks also apply to things like spam, where lists of common usernames are used as spam targets.
When we think of a dictionary, we typically think of a book (or now a website) that lists words and their definitions.
In the realm of online security, we only need half of that: the list of words.
But in this context, dictionary applies to more than just a list of words. It can include:
- A list of common passwords
- A list of previously discovered passwords
- A list of common first names
- A list of… well, just about anything
The key is that a dictionary is just a pre-compiled list of strings that might have applicability to whatever hack is being attempted.
The attack that follows is very simple:try everything in the dictionary.
Most online systems block or delay you if you enter your password too many times. While dictionary attacks can occasionally be used here — perhaps trying the three most common known passwords in turn1 — that’s inefficient and labor intensive.
Instead, dictionary attacks take either of two approaches: offline or persistent.
Offline attacks are just that: attacks that operate on offline copies of compromised copies of password databases for a service that has perhaps been hacked. The attacker tries all possible passwords, or a massive database of previously discovered passwords, at exceptionally high speed, and can often discover the password for a large number of the accounts in the database.
Persistent attacks are just that: persistent, but slow. They might make one attempt every minute (1440 attempts per day), but be ready to keep that up doggedly for year after year.2 They can often bypass login delays by changing the username being attempted or by distributing the attack across a network of bots. Since it’s all automated and often running on compromised machines, it costs the attacker nothing. If it comes up with even a few compromised accounts in a year, it’s a win for them.
More than passwords
I mentioned spam, and one possible dictionary being a list of common first names.
Many spam sources don’t even have a list of known email addresses. They just perform a dictionary attack using common names as email addresses on popular email services. For example,they might send spam to “firstname.lastname@example.org”, and “email@example.com”, and “firstname.lastname@example.org”, and “andy” and “bob” and so on and so on, regardless of whether those emails are valid.
Since first-name email addresses are considered valuable, easy to remember, and in some cases even cool, it’s very likely that this form of dictionary attack will be successful at finding a working account more often than not.
It’s still a dictionary attack, just on a different interface, trying to reach your inbox rather than gain access to your account.
CAPTCHA is one result
Be it signing in or just leaving a comment on a website, persistent dictionary attacks are the bane of any online service. I run into it in various forms here on Ask Leo!.
It’s one reason I had to resort to using CAPTCHAs — “prove you’re human” tests3 — on some of the places my site was getting abused.
Remember, every site you visit is experiencing this. Every site is trying to distinguish your valid attempt at signing in from the constant and persistent attacks it’s experiencing.
So, what does this all mean for you?
First, don’t use passwords that would appear in a language dictionary. Even one or two dictionary words combined could be discovered in a dictionary attack. If you use a passphrase, length matters: use four or more words to be secure.
Don’t use passwords that would appear in any other kind of dictionary. If your password has been discovered anywhere even once, then it’s possibly included in someone’s dictionary of discovered passwords.
Long passwords of random characters are best, making sure to use a different password for every site.
And finally, have a little patience with the sites and services throwing CAPTCHAs or other security measures at you. They’re under constant attack and are trying to keep themselves and you as secure as possible.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Which will still be successful a depressingly high number of times.
2: It can be fascinating to watch. I’ve seen it happening in real time in my server logs: a slow but persistent attempt to sign in over and over and over again, 24 hours a day, seven days a week. (And every server on the planet is under this kind of constant attack.)
3: There’s now proof of concept AI that can decipher some CAPTCHAs, so I’m not sure where this is headed long term.