What is it?
A cracking dictionary is a massive list of expected passwords used to quickly crack or guess actual passwords.
Are they effective?
Yes. They work because people make predictable passwords choices. They use common words and character patterns. It’s not necessary to every possible character combination. The dictionary needs only to include the character combinations people actually choose.
How are they created?
Entries will include both leaked passwords and wordlists with common character variations. Leaked passwords are effective because people reuse the same passwords. They will also include other possible passwords. A large dictionary might start with every word in every language from Wikipedia. Various rules are then applied to append, prepend and substitute characters. Cracking dictionaries can be easily found on the Internet and Dark Web. They are often built upon and shared, evolving over time so it is important to account for this in organizational defenses.
How can they crack hashed passwords?
A hash is a one-way mathematical operation that is theoretically impossible to reverse to clear text. However, with a cracking dictionary you can reveal passwords from even complicated hashes. This is done by calculating the hash for each entry in the database. Then any target hashes can be looked up to reveal the original passwords. The original password only needs to be in the dictionary for hash to be cracked. Did you know a good cracking dictionary can reveal as much as 80% of password hashes.
How to protect your organization against them
Passwords that aren’t in a cracking dictionary are much harder to crack. Preventing users from selecting common passwords is your best defense. Enzoic for Active Directory offers a solution to screen passwords against the latest dictionaries being used today.