What is the difference between a cracking dictionary and a password dictionary?
A password dictionary is a compilation of known cleartext passwords—real credentials exposed in breaches or password dumps. In contrast, a cracking dictionary is broader and more powerful. It may include dictionary words, common passwords, auto-generated variations, and even previously hashed passwords that were later cracked due to weak hashing algorithms.
For example, if we know that “strawberry” is a common password, a cracking dictionary might generate entries for “strawberry1” through “strawberry99” to speed up guessing attempts.
They work because people make predictable password choices. They use common words and character patterns. It’s not necessary to consider every possible character combination. The dictionary needs only to include the character combinations people actually choose.
Password dictionaries often start with leaked passwords from previous breaches. Leaked passwords are effective because people reuse the same passwords. Cracking dictionaries build on that data with:
These dictionaries can be easily found online and on the dark web, and they’re often expanded over time as new data is leaked. Because they evolve continuously, organizations must regularly adapt their defenses.
Yes. A hash is a one-way mathematical operation that is theoretically impossible to reverse to cleartext. However, with a cracking dictionary, you can reveal passwords from even complicated hashes.
Did you know a good cracking dictionary can reveal as much as 80% of password hashes?
Passwords that aren’t in a cracking dictionary are much harder to crack. Preventing users from selecting common passwords is your best defense. Enzoic for Active Directory offers a solution to screen passwords against the latest dictionaries being used today, preventing users from selecting passwords that attackers already know.
Read more: