Skip to main content

Back to Blog

Password Dictionary vs. Cracking Dictionary

Defining the Two Terms

What is the difference between a cracking dictionary and a password dictionary?

A password dictionary is a compilation of known cleartext passwords—real credentials exposed in breaches or password dumps. In contrast, a cracking dictionary is broader and more powerful. It may include dictionary words, common passwords, auto-generated variations, and even previously hashed passwords that were later cracked due to weak hashing algorithms.

For example, if we know that “strawberry” is a common password, a cracking dictionary might generate entries for “strawberry1” through “strawberry99” to speed up guessing attempts.

What Makes Cracking Dictionaries So Effective?

They work because people make predictable password choices. They use common words and character patterns. It’s not necessary to consider every possible character combination. The dictionary needs only to include the character combinations people actually choose.

How are Password and Cracking Dictionaries Created?

Password dictionaries often start with leaked passwords from previous breaches. Leaked passwords are effective because people reuse the same passwords. Cracking dictionaries build on that data with:

  • Dictionary wordlists (often scraped from sources like Wikipedia)
  • Common passwords and their variations
  • Prepending, appending, or substituting characters based on common user behavior

These dictionaries can be easily found online and on the dark web, and they’re often expanded over time as new data is leaked. Because they evolve continuously, organizations must regularly adapt their defenses.

Can Cracking Dictionaries Break Hashed Passwords?

Yes. A hash is a one-way mathematical operation that is theoretically impossible to reverse to cleartext. However, with a cracking dictionary, you can reveal passwords from even complicated hashes.

  • This is done by calculating the hash for each entry in the database.
  • Then any target hashes can be looked up to reveal the original passwords.
  • The original password only needs to be in the dictionary for hash to be cracked.

Did you know a good cracking dictionary can reveal as much as 80% of password hashes?

Protecting Your Organization from Password Dictionary Attacks

Passwords that aren’t in a cracking dictionary are much harder to crack. Preventing users from selecting common passwords is your best defense. Enzoic for Active Directory offers a solution to screen passwords against the latest dictionaries being used today, preventing users from selecting passwords that attackers already know.

 

 

Read more: