Dictionary attack

In cryptanalysis, a dictionary attack refers to discovering a password by running through a list of likely possibilities, often a list of words from a dictionary. It contrasts to a brute force attack in which all possibilities are tried. For example, one can attempt to guess a password on a computer in an English speaking country by encrypting each of a list of English words and comparing each encryption against the stored encrypted version of users' passwords. Since users often choose inappropriate (ie, easily guessed or broken) passwords, this has historically succeeded about 4 times out of 10 when a reasonably large list is used. It is worth noting that dictionaries for most human languages (even those no longer used) are now easily accessible on the Internet so using little known foreign words (eg Maori words) no longer helps prevent dictionary attacks in principle, and to a considerable extent in practice.

It is possible to achieve a time-space tradeoff through precomputation by encrypting and storing a list of encrypted dictionary words, sorting by the encrypted 'value'. This requires a large amount of storage and often a considerable amount of preparation time, but makes the actual attack almost instantaneous. It is particularly effective when a large number of passwords are to be cracked at once. Salting is a technique that forces the encrypted dictionary to be recomputed for each password sought and can make precomputation effectively impossible if the salt is large enough.

An example of a dictionary attack occurred in the Second World War, when British codebreakers working on German Enigma-ciphered messages used the German word eins as part of a dictionary attack; eins, the word for the number one, appeared in 90% of all Enigma messages, as the Enigma machine's keyboard had no numerals (some might classify this as a known plaintext attack).

Clifford Stoll's book, The Cuckoo's Egg, contains an interesting, and unusually readable, account of a dictionary attack against the encrypted passwords kept in the passwd file in Unix systems, and of the reaction to the successful attack by the man (Robert Morris, Sr) who invented the one-way encryption system used for login passwords.

See also

External links

Well known examples of dictionary attack software tools:





Google
Home   Alphabetical Listing   Quote


This article is from Wikipedia. All text is available under the terms of the GNU Free Documentation License.