Cracking dictionaries are software programs that compile lists of unique words, common passwords, and iterations of common passwords. These words are collected from public domain files from multiple sources and in various formats. With cracking dictionaries, hackers narrow the universe of possible passwords to try. Instead of a brute force attack that tries every possible character combination, the hacker can try the passwords that are most likely to work.
How do cracking dictionaries work?
User passwords are a critical layer of authentication security intended to protect user data and preserve confidentiality. The effectiveness of passwords is somewhat undermined by users’ tendency to base their passwords on words with personal meaning and then make simple variations. Most users create passwords that associate with something they appreciate – a child’s birthday, a pet’s name, a favorite sports team, etc. The reason for this is rooted in human psychology. According to psychologists, most people can accurately recall only five to nine random bits of information at any given time and they therefore rely on things that they are most likely to remember when creating passwords. Studies show that half of the passwords people use are often related to their family, including names, nicknames, birthdays, pets, etc. Other users rely upon common words or variations on common words. Frequently, these users have unintentionally made their preferences public, primarily through social media.
Hackers are well aware of user password tendencies. Further, the increase of data breaches and leaks across industries gives hackers an opportunity to collect a list of exposed usernames and passwords. These compromised credentials are then used on other sites since hackers know that most people reuse passwords, or variations on their passwords, across different sites. All of these factors drive hackers to use cracking dictionaries.
How cracking dictionaries are use?
These dictionaries are typically used in password attacks, especially in an offline dictionary attack. A dictionary attack is a method of trying to reverse hashed passwords by trying all the available strings in a re-arranged listing. In other words, it systematically enters every word in a dictionary as well as previously compromised passwords with the goal of finding the right candidate.
How to prevent password cracking?
Preventing passwords from being cracked by malicious actors is a key line of defense. Here are two ways organizations and users can reduce the risks of password cracking.
(1) Password policies
Password policies are a front line of defense. They are typically a set of rules intended to improve security by motivating or compelling users to create and maintain dependable, safe passwords. Password policies govern password lifecycle events, such as authentication, periodic resets, and expiration. Although some password policies are advisory and outline best practices for users, most sites require users to adhere to the policy using programmatic rules. User frustration can arise if users are required to spend time attempting to create passwords that meet unfamiliar criteria. Having a password policy can help mitigate user frustration by providing guidelines and certainty. The following are examples of password policies:
(2) Password screening
One of the best ways to prevent dictionary attacks is to screen them against known lists of dictionary passwords and compromised passwords. Compromised password screens collect compromised data from the internet and Dark Web sources and then determines if the password a user is trying to create has been compromised. Password screening tools work by checking a partial hash of username and password at login, password setup, and reset. It can also be beneficial to consumer sites and e-commerce companies to detect and protect them from fraudsters who use previously compromised credentials.