Cognive

Dictionary Attack.

You may have noticed in the recent news that even big companies like Instagram, Facebook, WhatsApp etc are subjected to various theft and virus attacks. You may be aware of how unsafe the web can be as we are the modern age of computers, it’s important to know about the various ways by which one can hack your system one such is Dictionary attack. Usually hackers exploit a certain condition of the system, it can be as simple as using an addition operation or as complex as writing a piece of code to hack a system. So that next time you come across such situations you may be able to prevent the damages. As they say “Prevention is better than cure”.

 What is a Dictionary Attack?

 It’s a technique used by hackers to breach the computer security which may be a password protected machine or a server. This method of hacking is the easiest and most likely to succeed because it’s the most convenient way because users frequently use ordinary words as passwords. Hackers and spammers take this as an advantage and try to guess the password by attempting many different common passwords and possible passwords that are likely to be used. Dictionary Attack makes use of the so called “dictionary” which stores common English words, phrases and passwords ready to guess as a key. But if the key is not present in the dictionary, it will never find the password.

Example: If Rahul has encrypted his computer with a password “Rubix23”. Neha wants to use a dictionary attack and tries every possible word in the dictionary, if “Rubix23” is present in the dictionary then Neha will be able to access Rahul’s computer. But is Rahul uses “astvj@#$56” as his password its unlikely to be present in the dictionary then Neha will never be able to get access to Raul’s computer.

It’s also an e-mail spamming technique in which the spammer sends out thousands or millions of emails with randomly generated addresses using combinations of letters added to known domain names in the hopes of reaching a percentage of actual email addresses. For example, a dictionary attack list might begin with david@****.com, david23@***.com, david2@****.com, and so on until all possible combinations of letters and numbers has been exhausted.

How to prevent Dictionary Attack?

The solutions are relatively simple:

  • Lock an account after a certain number of failed attempts.
  • Force an account the fails to log in multiple times to use a method like captcha or other secondary certification.
  • Use two factor authentications (method supplements passwords to provide an online account with a second layer of security) so that more than one password is required to log in
  • Ban multiple login attempts from a single IP address
  • Strengthen your password requirements: such as requiring specific symbols, numbers, and/or uppercase letters, requiring a minimum length for password.
  • Expire your current users’ passwords and require them to create a new one: Require them to update or change the passwords every few months. A common corporate time frame is 3 months
  • Disable root login for remote connections. Root is a common user name and is common for brute force attacks.
  • Only allow SSH connections for certain hosts or IP addresses. This ensures that the computers connecting to your server are known and are intentionally allowed access.

Summary:

  •  Definition: an attempt to break into a password-protected computer or computer system with a software program that successively tries all the words in a large dictionary or other word list, or its an attempt by a spammer to obtain a list of valid email addresses by testing possible usernames in combination with a domain name.
  • The time required to hack using dictionary attack is just a few seconds at times it can be several minutes, if the dictionary is very large or in case of hybrid dictionary attack.
  • What can be recovered? The original password and all the data which is protected by using that password.
  • Is this a guaranteed result? No.
  • Dictionary attack works well on “single word passwords” but usually fails on more complex passwords. 

 Some good dictionaries for dictionary attack:

https://wiki.skullsecurity.org/Passwords

http:// https://web.archive.org/web/20120207113205/http://www.insidepro.com/eng/download.shtml.

All hackers need is your information, and to execute it hackers have many tools , we will continue in the next post we will show how to crack passwords!

Author: Nivedita.M

Edited by: Arcot Gautham

4 comments

Leave a comment