A password dictionary would only have passwords, e.g. a compilation of known cleartext passwords, while a cracking dictionary could also contain things like the list of words from the dictionary and auto-generated guesses based on words and other known passwords. For example, if we know that “strawberry” is a common password, we could generate entries for “strawberry1″ all the way through “strawberry99” just to use for cracking.
A cracking dictionary is a massive list of expected passwords used to quickly crack or guess actual passwords. These lists can include words in the form of dictionary words, common passwords, iterations of common passwords, and exposed passwords. They can also contain passwords that used to be hashed but have been subsequently cracked because they were stored in a weak password hashing algorithm.
They work because people make predictable passwords choices. They use common words and character patterns. It’s not necessary to every possible character combination. The dictionary needs only to include the character combinations people actually choose.
Entries will include both leaked passwords and wordlists with common character variations. Leaked passwords are effective because people reuse the same passwords. They will also include other possible passwords. A large dictionary might start with every word in every language from Wikipedia. Various rules are then applied to append, prepend and substitute characters. Cracking dictionaries can be easily found on the Internet and Dark Web. They are often built upon and shared, evolving over time so it is important to account for this in organizational defenses.
A hash is a one-way mathematical operation that is theoretically impossible to reverse to clear text. However, with a cracking dictionary you can reveal passwords from even complicated hashes. This is done by calculating the hash for each entry in the database. Then any target hashes can be looked up to reveal the original passwords. The original password only needs to be in the dictionary for hash to be cracked. Did you know a good cracking dictionary can reveal as much as 80% of password hashes.
Passwords that aren’t in a cracking dictionary are much harder to crack. Preventing users from selecting common passwords is your best defense. Enzoic for Active Directory offers a solution to screen passwords against the latest dictionaries being used today.