Cracking dictionaries are software programs that compile lists of unique words, common passwords, and iterations of common passwords. These words are collected from public domain files from multiple sources and in various formats. With cracking dictionaries, hackers narrow the universe of possible passwords to try. Instead of a brute force attack that tries every possible character combination, the hacker can try the passwords that are most likely to work.
How do cracking dictionaries work?
User passwords are a critical layer of authentication security intended to protect user data and preserve confidentiality. The effectiveness of passwords is somewhat undermined by users’ tendency to base their passwords on words with personal meaning and then make simple variations. Most users create passwords that associate with something they appreciate – a child’s birthday, a pet’s name, a favorite sports team, etc. The reason for this is rooted in human psychology. According to psychologists, most people can accurately recall only five to nine random bits of information at any given time and they therefore rely on things that they are most likely to remember when creating passwords. Studies show that half of the passwords people use are often related to their family, including names, nicknames, birthdays, pets, etc. Other users rely upon common words or variations on common words. Frequently, these users have unintentionally made their preferences public, primarily through social media.
Hackers are well aware of user password tendencies. Further, the increase of data breaches and leaks across industries gives hackers an opportunity to collect a list of exposed usernames and passwords. These compromised credentials are then used on other sites since hackers know that most people reuse passwords, or variations on their passwords, across different sites. All of these factors drive hackers to use cracking dictionaries.
How cracking dictionaries are use?
These dictionaries are typically used in password attacks, especially in an offline dictionary attack. A dictionary attack is a method of trying to reverse hashed passwords by trying all the available strings in a re-arranged listing. In other words, it systematically enters every word in a dictionary as well as previously compromised passwords with the goal of finding the right candidate.
How to prevent password cracking?
Preventing passwords from being cracked by malicious actors is a key line of defense. Here are two ways organizations and users can reduce the risks of password cracking.
(1) Password policies
Password policies are a front line of defense. They are typically a set of rules intended to improve security by motivating or compelling users to create and maintain dependable, safe passwords. Password policies govern password lifecycle events, such as authentication, periodic resets, and expiration. Although some password policies are advisory and outline best practices for users, most sites require users to adhere to the policy using programmatic rules. User frustration can arise if users are required to spend time attempting to create passwords that meet unfamiliar criteria. Having a password policy can help mitigate user frustration by providing guidelines and certainty. The following are examples of password policies:
- Requiring longer passwords. Longer passwords and passphrases have been shown to substantially improve security. However, it’s still essential to avoid longer passwords that have been previously compromised or regularly appear in cracking dictionaries.
- Do not use personal details. This password policy encourages users to create passwords with no link to the user’s personal information. As explained earlier, most users build passwords using personal details, such as hobbies, nicknames, names of pets or family members, etc. If a hacker has access to personal details about a particular user (such as through social media), they will try password combinations using this information. At a minimum, passwords should be checked screened to make sure they don’t include basic information like the user’s name or login information.
- Use different passwords for different accounts. Password policies should require users to differentiate security from convenience and disallow users from using the same password for all of their accounts. Password sharing between users – even those who might work in the same department or who may use the same equipment – should have distinct passwords.
- Adopt passphrases as a standard. Some password policies require users to create a passphrase as opposed to a password. While passphrases serve the same purpose, they are usually harder to crack due to their length. An effective passphrase should include numbers and symbols as well as letters. Users may remember passphrases more easily than passwords.
- Discourage sharing. Password policies should specify that passwords are meant to be personal and should not be shared between users. Use the second factor. Another password policy is the adoption of two-factor authentication (2FA.) 2FA requires a user to present two pieces of evidence before they can log in, which is typically a password and a temporary code delivered to a cellphone, an email or other method.
(2) Password screening
One of the best ways to prevent dictionary attacks is to screen them against known lists of dictionary passwords and compromised passwords. Compromised password screens collect compromised data from the internet and Dark Web sources and then determines if the password a user is trying to create has been compromised. Password screening tools work by checking a partial hash of username and password at login, password setup, and reset. It can also be beneficial to consumer sites and e-commerce companies to detect and protect them from fraudsters who use previously compromised credentials.