<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://wiki.tachyony.co.uk/w/index.php?action=history&amp;feed=atom&amp;title=Dictionary_attack</id>
	<title>Dictionary attack - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://wiki.tachyony.co.uk/w/index.php?action=history&amp;feed=atom&amp;title=Dictionary_attack"/>
	<link rel="alternate" type="text/html" href="https://wiki.tachyony.co.uk/w/index.php?title=Dictionary_attack&amp;action=history"/>
	<updated>2026-07-06T21:23:12Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.44.0</generator>
	<entry>
		<id>https://wiki.tachyony.co.uk/w/index.php?title=Dictionary_attack&amp;diff=52410&amp;oldid=prev</id>
		<title>imported&gt;Aram112: Removed redundant repetitive sentences regarding why dictionary attacks succeed and streamlined the phrasing.</title>
		<link rel="alternate" type="text/html" href="https://wiki.tachyony.co.uk/w/index.php?title=Dictionary_attack&amp;diff=52410&amp;oldid=prev"/>
		<updated>2026-05-22T12:08:27Z</updated>

		<summary type="html">&lt;p&gt;Removed redundant repetitive sentences regarding why dictionary attacks succeed and streamlined the phrasing.&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;{{short description|Technique for defeating password protection using lists of likely possibilities}}&lt;br /&gt;
{{More citations needed|date=February 2018}}&lt;br /&gt;
&lt;br /&gt;
In [[cryptanalysis]] and [[computer security]], a &amp;#039;&amp;#039;&amp;#039;dictionary attack&amp;#039;&amp;#039;&amp;#039; is an attack using a restricted subset of a keyspace to defeat a [[cipher]] or authentication mechanism by trying to determine its decryption key or [[passphrase]], sometimes trying thousands or millions of likely possibilities&amp;lt;ref&amp;gt;{{Cite journal|last1=Junghyun Nam|last2=Juryon Paik|last3=Hyun-kyu Kang|last4=Ung Kim|last5=Dongho Won|date=2009-03-01|title=An off-line dictionary attack on a simple three-party key exchange protocol|journal=IEEE Communications Letters|volume=13|issue=3|pages=205–207|doi=10.1109/LCOMM.2009.081609|bibcode=2009IComL..13..205N |issn=1089-7798}}&amp;lt;/ref&amp;gt; often obtained from lists of past security breaches.&lt;br /&gt;
&lt;br /&gt;
==Technique==&lt;br /&gt;
A dictionary attack is based on trying all the strings in a pre-arranged listing. Such attacks originally used words found in a dictionary (hence the phrase &amp;#039;&amp;#039;dictionary attack&amp;#039;&amp;#039;);&amp;lt;ref&amp;gt;&lt;br /&gt;
Jeff Atwood.&lt;br /&gt;
[https://blog.codinghorror.com/dictionary-attacks-101/ &amp;quot;Dictionary Attacks 101&amp;quot;].&lt;br /&gt;
&amp;lt;/ref&amp;gt; however, now there are much larger lists available on the open Internet containing hundreds of millions of passwords recovered from past data breaches.&amp;lt;ref&amp;gt;[https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm CrackStation&amp;#039;s list]. e.g., with over 1.4 billion words.&amp;lt;/ref&amp;gt; There is also cracking software that can use such lists and produce common variations, such as [[leet | substituting numbers for similar-looking letters]]. A dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords; or variants obtained, for example, ...by appending a digit or punctuation character, which are easily covered by modern cracking software pattern generation. A safer approach. is to randomly generate a long password (15 letters or more) or a multiword [[passphrase]], using a [[password manager]] program or manually typing a password.&lt;br /&gt;
&lt;br /&gt;
Dictionary attacks can be deterred by the server administrator by using a more computationally expensive hashing algorithm. [[Bcrypt]], [[scrypt]], and [[Argon2]] are examples of such resource intensive functions that require significant computational power to process,&amp;lt;ref&amp;gt;{{Cite web |title=Key Stretching Algorithms: Basics, Algorithms &amp;amp; Techniques |url=https://bootcampsecurity.com/blog/key-stretching-algorithms-basics-algorithms-techniques/ |website=Bootcamp Security|date=29 September 2024 }}&amp;lt;/ref&amp;gt; allowing for large improvements in security against dictionary attacks. While other hashing functions, such as [[Secure Hash Algorithms|SHA]] and [[MD5]], are much faster and less expensive to compute, they can still be strengthened by being applied multiple times to an input string through a process called [[key stretching]]. An attacker would have to know approximately how many times the function was applied for a dictionary attack to be feasible.&lt;br /&gt;
&lt;br /&gt;
==Pre-computed dictionary attack/Rainbow table attack==&lt;br /&gt;
It is possible to achieve a [[time–space tradeoff]] by [[pre-computing]] a list of [[Cryptographic hash function|hashes]] of dictionary words and storing these in a database using the hash as the [[Unique key|key]]. This requires a considerable amount of preparation time, but this allows the actual attack to be executed faster. The storage requirements for the pre-computed tables were once a major cost, but now they are less of an issue because of the low cost of [[disk storage]]. Pre-computed dictionary attacks are particularly effective when a large number of passwords are to be cracked. The pre-computed dictionary needs be generated only once, and when it is completed, password hashes can be looked up almost instantly at any time to find the corresponding password. A more refined approach involves the use of [[rainbow table]]s, which reduce storage requirements at the cost of slightly longer lookup-times. &amp;#039;&amp;#039;See&amp;#039;&amp;#039; [[LM hash]] for an example of an [[Authentication protocol|authentication system]] compromised by such an attack.&lt;br /&gt;
&lt;br /&gt;
Pre-computed dictionary attacks, or &amp;quot;rainbow table attacks&amp;quot;, can be thwarted by the use of [[Salt (cryptography)|salt]], a technique that forces the hash dictionary to be recomputed for each password sought, making [[precomputation]] infeasible, provided that the number of possible salt values is large enough.&amp;lt;ref&amp;gt;{{Cite web|title=CAPEC - CAPEC-55: Rainbow Table Password Cracking (Version 3.5)|url=https://capec.mitre.org/data/definitions/55.html|access-date=2021-09-12|website=capec.mitre.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Dictionary attack software==&lt;br /&gt;
*[[Cain and Abel (software)|Cain and Abel]]&lt;br /&gt;
*[[Crack (password software)|Crack]]&lt;br /&gt;
*[[Aircrack-ng]]&lt;br /&gt;
*[[John the Ripper]]&lt;br /&gt;
*[[Hashcat]]&lt;br /&gt;
*[[L0phtCrack]]&lt;br /&gt;
*[[Metasploit Project]]&lt;br /&gt;
*[[Ophcrack]]&lt;br /&gt;
*[[Cryptool]]&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Brute-force attack]]&lt;br /&gt;
*E-mail address harvesting&lt;br /&gt;
*[[Intercontinental Dictionary Series]], an online linguistic database&lt;br /&gt;
*[[Key derivation function]]&lt;br /&gt;
*[[Key stretching]]&lt;br /&gt;
*[[Password cracking]]&lt;br /&gt;
*[[Password strength]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{Reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
{{Wiktionary}}&lt;br /&gt;
&lt;br /&gt;
*{{IETF RFC|2828|link=no}} – Internet Security Glossary&lt;br /&gt;
*{{IETF RFC|4949|link=no}} – Internet Security Glossary, Version 2&lt;br /&gt;
*[https://www.washingtonpost.com/wp-dyn/articles/A6098-2005Mar28.html US Secret Service use a distributed dictionary attack on suspect&amp;#039;s password protecting encryption keys]&lt;br /&gt;
*[http://www.owasp.org/index.php/Testing_for_Brute_Force#Brute_force_Attacks Testing for Brute Force (OWASP-AT-004)] {{Webarchive|url=https://web.archive.org/web/20200114052332/https://www.owasp.org/index.php/Testing_for_Brute_Force#Brute_force_Attacks|date=2020-01-14}}&lt;br /&gt;
&lt;br /&gt;
[[Category:Cryptographic attacks]]&lt;/div&gt;</summary>
		<author><name>imported&gt;Aram112</name></author>
	</entry>
</feed>