Cracking Dictionary Explained


What is a cracking dictionary?

A cracking dictionary is a massive list of expected passwords used to quickly crack or guess actual passwords.


Why are cracking dictionaries effective?

Cracking dictionaries work because people make predictable passwords choices. They use common words and character patterns. It’s not necessary to every possible character combination. The cracking dictionary needs only to include the character combinations people actually choose.


How are cracking dictionaries created?

A cracking dictionary’s entries will include both leaked passwords and wordlists with common character variations. Leaked passwords are effective because people reuse the same passwords. Cracking dictionaries will also include other possible passwords. A large cracking dictionary might start with every word in every language from Wikipedia. Various rules are then applied to append, prepend and substitute characters. Cracking dictionaries can be easily found on the Internet and Dark Web. They are often built upon and shared, evolving over time so it is important to account for this in organizational defenses.


How can cracking dictionaries crack hashed passwords?

A hash is a one-way mathematical operation that is theoretically impossible to reverse to clear text. However, with a cracking dictionary you can reveal passwords from even complicated hashes. This is done by calculating the hash for each entry in the database. Then any target hashes can be looked up to reveal the original passwords. The original password only needs to be in the cracking dictionary for hash to be cracked. A good cracking dictionary can reveal as much as 80% of password hashes.


How to protect against cracking dictionaries?

Passwords that aren’t in a cracking dictionary are much harder to crack. Preventing users from selecting common passwords is your best defense against cracking dictionaries. Enzoic for Active Directory offers a solution to screen passwords against the latest cracking dictionaries.