Hubbry Logo
Dictionary attackDictionary attackMain
Open search
Dictionary attack
Community hub
Dictionary attack
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Dictionary attack
Dictionary attack
Dictionary attack
View on Wikipedia
from Wikipedia

In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands or millions of likely possibilities[1] often obtained from lists of past security breaches.

Technique

[edit]

A dictionary attack is based on trying all the strings in a pre-arranged listing. Such attacks originally used words found in a dictionary (hence the phrase dictionary attack);[2] however, now there are much larger lists available on the open Internet containing hundreds of millions of passwords recovered from past data breaches.[3] There is also cracking software that can use such lists and produce common variations, such as substituting numbers for similar-looking letters. A dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords; or variants obtained, for example, by appending a digit or punctuation character. Dictionary attacks are often successful, since many commonly used password creation techniques are covered by the available lists, combined with cracking software pattern generation. A safer approach is to randomly generate a long password (15 letters or more) or a multiword passphrase, using a password manager program or manually typing a password.

Dictionary attacks can be deterred by the server administrator by using a more computationally expensive hashing algorithm. Bcrypt, scrypt, and Argon2 are examples of such resource intensive functions that require significant computational power to process,[4] allowing for large improvements in security against dictionary attacks. While other hashing functions, such as SHA and MD5, are much faster and less expensive to compute, they can still be strengthened by being applied multiple times to an input string through a process called key stretching. An attacker would have to know approximately how many times the function was applied for a dictionary attack to be feasible.

Pre-computed dictionary attack/Rainbow table attack

[edit]

It is possible to achieve a time–space tradeoff by pre-computing a list of hashes of dictionary words and storing these in a database using the hash as the key. This requires a considerable amount of preparation time, but this allows the actual attack to be executed faster. The storage requirements for the pre-computed tables were once a major cost, but now they are less of an issue because of the low cost of disk storage. Pre-computed dictionary attacks are particularly effective when a large number of passwords are to be cracked. The pre-computed dictionary needs be generated only once, and when it is completed, password hashes can be looked up almost instantly at any time to find the corresponding password. A more refined approach involves the use of rainbow tables, which reduce storage requirements at the cost of slightly longer lookup-times. See LM hash for an example of an authentication system compromised by such an attack.

Pre-computed dictionary attacks, or "rainbow table attacks", can be thwarted by the use of salt, a technique that forces the hash dictionary to be recomputed for each password sought, making precomputation infeasible, provided that the number of possible salt values is large enough.[5]

Dictionary attack software

[edit]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Dictionary attack

View on Grokipedia
from Grokipedia
A dictionary attack is a type of cyber attack in which an adversary attempts to gain unauthorized access to a password-protected by systematically entering words, phrases, or commonly used passwords from a predefined list, often derived from dictionaries or leaked databases. Unlike a , which exhaustively tries all possible character combinations, a dictionary attack is more efficient as it targets probable candidates, making it particularly effective against users who choose predictable or weak passwords. Originating as one of the earliest automated methods for cracking passwords in computer systems, dictionary attacks have been documented since the 1980s, initially targeting Unix shadow files and later evolving to exploit online services like SSH and web logins. By the early 2000s, such attacks had become pervasive, with studies showing hackers launching dictionary-script-based attempts against internet-connected servers every 39 seconds on average. These attacks can occur online, where the attacker interacts directly with the login interface and faces rate-limiting defenses, or offline, using stolen password hashes to test guesses without detection until verification. To mitigate dictionary attacks, organizations recommend using long, complex passphrases that avoid common words, implementing to add verification layers, and employing account lockout mechanisms or after failed attempts. NIST guidelines emphasize minimum lengths of at least eight characters and prohibit easily guessable patterns to resist both dictionary and brute-force threats, while salting and hashing with strong algorithms like or hinders offline cracking. Despite these defenses, dictionary attacks remain a top , with 81% of breaches involving weak or stolen credentials as of 2025, due to the prevalence of reused and weak across billions of accounts exposed in data breaches.

Fundamentals

Definition and Principles

A dictionary attack is a form of cyber attack that attempts to crack passwords by systematically trying a predefined list of words, phrases, or patterns commonly used by users, such as words, names, or simple variations like "password123". This method exploits the tendency of individuals to select memorable and predictable credentials rather than truly random ones. The core principles of a dictionary attack center on the predictability of human-chosen , which frequently draw from a limited set of common terms, thereby reducing the effective search space compared to exhaustive methods. It employs a "" file—a compiled collection of likely password candidates, often including leaked credentials or modified common words—to test against the target. Success hinges on the dictionary's comprehensiveness and the target's password , as weak or common choices can be cracked efficiently while strong, unique ones resist longer. In its basic process, the attack iterates through entries until a match occurs or the list is exhausted: for offline scenarios, each candidate is hashed using the same as the stored and compared directly; for online scenarios, candidates are submitted as attempts, though systems often impose to curb rapid trials. Key concepts include hashing in offline contexts, which allows verification without exposing passwords, and in online contexts, which slows automated guessing by restricting attempt frequency. Unlike brute-force attacks that try all possible combinations indiscriminately, dictionary attacks prioritize probable guesses for greater efficiency.

Comparison to Other Attacks

Dictionary attacks differ from brute-force attacks primarily in their targeted approach and resource efficiency. Brute-force attacks exhaustively test every possible character combination within a defined keyspace, making them computationally intensive; for instance, cracking an 8-character password using the 95 printable ASCII characters requires up to approximately 6.6 × 10^{15} attempts, often rendering them impractical for longer or complex passwords without massive parallel computing resources. In contrast, dictionary attacks leverage predefined lists of probable passwords—such as common words, phrases, or leaked credentials—typically numbering in the thousands to millions, allowing attackers to prioritize high-likelihood candidates and achieve results far more quickly against human-chosen passwords. In terms of efficiency, dictionary attacks often yield higher success rates on systems with weak passwords in scenarios where users rely on predictable choices like "" or "123456," which appear in millions of leaked sets. Brute-force methods, while theoretically capable of cracking any given sufficient time, may require years or more for strong, unique passwords due to their exponential complexity, whereas dictionary attacks can succeed in seconds to hours for common entries. Unlike phishing or social engineering attacks, which rely on deception to trick users into voluntarily revealing credentials through fraudulent communications or psychological manipulation, dictionary attacks are purely automated and technical, operating on captured password data without direct human interaction. This makes dictionary methods independent of user behavior during the attack phase but dependent on the initial acquisition of hashed or passwords. Dictionary attacks also contrast with keylogging, where malware or hardware intercepts keystrokes in real-time to capture credentials as they are entered, providing direct access without needing to crack encrypted forms. Instead, dictionary attacks focus on post-capture analysis, attempting to reverse hashed passwords offline after theft from databases or intercepts. Dictionary attacks are particularly applicable to offline scenarios, such as cracking stolen hash databases from systems like Unix shadow files or Windows SAM registries, where rate limiting does not apply and optimizations like rainbow tables can further accelerate lookups of precomputed hashes. They prove less effective against complex, unique passwords that fall outside standard dictionaries, where brute-force or hybrid methods may be required despite their higher demands.

Techniques

Online Dictionary Attacks

In an online dictionary attack, the adversary interacts directly with a live system over a network, submitting credential guesses derived from a predefined list of common words, phrases, or passwords. These attempts are automated via scripts that simulate user logins through interfaces such as web forms, endpoints, or remote protocols like SSH, allowing for repeated submissions without manual intervention. Such attacks are inherently constrained by server-side defenses, including that caps login attempts from a single or user account within a given timeframe, CAPTCHA mechanisms to distinguish human users from bots, and temporary account lockouts following multiple failures. These protections severely limit the attacker's throughput, often reducing the feasibility of exhaustive guessing and resulting in typically low success rates compared to unconstrained scenarios. Online dictionary attacks frequently target vulnerable web applications, email providers, or remote access services where weak credentials are suspected. For example, an attacker might deploy a script to probe a corporate portal at a rate of around 100 attempts per minute, cycling through entries until a match or detection occurs. The operational risks are substantial, as patterns of rapid failed authentications can trigger automated IP bans, intrusion detection alerts, or forensic logging that exposes the attacker's origin. Furthermore, unauthorized execution of these attacks constitutes a federal offense under the U.S. (CFAA), which criminalizes intentional unauthorized access to protected computers, potentially leading to severe penalties including fines and imprisonment. A prominent historical instance occurred in 2007, when researchers at the documented that internet-connected computers faced successful dictionary-script-based attacks every 39 seconds on average, underscoring the era's widespread vulnerability to guessing despite emerging defenses. Unlike offline dictionary attacks, which exploit stolen hashes without network oversight, online variants remain bound by real-time throttling and monitoring.

Offline Dictionary Attacks

Offline dictionary attacks occur when an attacker has obtained a collection of password hashes, such as from a stolen database or system file, and attempts to recover the original passwords by generating and comparing hashes of words from a predefined without interacting with the target . This process involves loading the target hashes into cracking software, which then computes the hash of each entry using the same and compares it to the targets for matches. A primary advantage of offline attacks is the absence of network latency, account lockouts, or rate-limiting mechanisms that constrain attempts, allowing attackers to perform computations at maximum hardware speed. Modern implementations leverage GPU acceleration, enabling rates of billions of hashes per second for vulnerable algorithms, far surpassing the limited attempts possible in scenarios. These attacks particularly target weak, unsalted hashing functions like or , which are computationally inexpensive to reverse en masse. If the hashes include salts—unique random values appended to passwords before hashing—the attacker must recompute the hash for each dictionary word combined with the specific salt, preventing precomputation optimizations but still allowing rapid trials on salted variants of these fast hashes. Common scenarios include post-breach analysis of leaked databases, where attackers apply large dictionaries to millions of hashes from SQL dumps, or cracking system files like /etc/shadow, which stores salted hashes for local accounts. For instance, using a 10GB on a stolen database can yield matches for common within hours on consumer-grade hardware. In terms of speed, a weak unsalted hash of a dictionary word like "" can be cracked in seconds on a high-end GPU, while stronger but still vulnerable hashes might take minutes to hours depending on size and complexity.

Advanced Methods

Rainbow Table Attacks

Rainbow tables are a specialized form of pre-computed dictionary attack that optimize storage through a time-memory tradeoff, enabling efficient offline cracking of password hashes derived from dictionary words. This method builds on the foundational time-memory tradeoff concept introduced by Martin Hellman in 1980 for inverting one-way functions, such as cryptographic hashes, by chaining computations while storing only partial data to cover vast key spaces with reduced memory. Philippe Oechslin refined this into the rainbow table in 2003, using multiple reduction functions to create "rainbow" chains that minimize chain collisions and storage needs, making it particularly effective for unsalted hash functions in password cracking scenarios. The construction of a rainbow table begins with a dictionary of candidate passwords. For each starting password p0p_0, compute the initial hash h0=H(p0)h_0 = H(p_0), where HH is the target (e.g., or ). Then, apply a sequence of reduction functions r1,r2,,rt1r_1, r_2, \dots, r_{t-1} to generate a chain: p1=r1(h0)p_1 = r_1(h_0), h1=H(p1)h_1 = H(p_1), p2=r2(h1)p_2 = r_2(h_1), and so on, up to ht1h_{t-1}. To save space, only the starting point (p0,ht1)(p_0, h_{t-1}) is stored for each chain of length tt, with different reduction functions used at each step to form the "" pattern and reduce the probability of chain merges to approximately 1/t1/t. Millions of such chains are generated and sorted by endpoint for quick lookup, resulting in tables that can cover billions of potential hashes; for instance, a 1.4 GB table can encompass up to 2372^{37} (about 137 billion) alphanumeric passwords of length up to 7 characters. In usage, given a target hash hh, the attacker searches the table's endpoints for a match. If hh matches an endpoint ht1h_{t-1}, the full is recomputed backward from that starting point to locate the original . If no direct match, apply reduction functions sequentially from the last to the first (e.g., rt1(h)r_{t-1}(h), then hash and reduce again), checking each new value against the table until a is found, which requires on average t(t1)/2t(t-1)/2 hash computations. This is highly effective against unsalted hashes, as the precomputation covers common words without per-hash customization. The primary advantages of rainbow tables include dramatically faster lookup times compared to hashing an entire dictionary on-the-fly; for example, cracking a hash from a 64-character alphanumeric space can take 13.6 seconds with rainbow tables versus 101 seconds using earlier distinguished-point methods. They achieve this with about half the computational overhead of Hellman's original tables by avoiding false alarms and using constant-length chains, while requiring far less storage than full lookup tables (e.g., N2/3N^{2/3} space versus NN). However, rainbow tables are ineffective against salted hashes, as the unique salt per password alters the hash input, necessitating a separate table for each salt value, which renders precomputation impractical. This limitation, along with the rise of stronger hashing algorithms, contributed to their popularization in the early 2000s but reduced prevalence today.

Hybrid Attacks

Hybrid attacks enhance traditional dictionary attacks by systematically applying transformation rules to base words from a dictionary, thereby targeting common user modifications to passwords such as capitalization, appending numbers, or substituting characters. This approach combines the efficiency of dictionary-based guessing with elements of brute-force variation, allowing attackers to generate candidate passwords like "password1", "Password!", or "p@ssword123" from the root word "password". Password candidates in hybrid attacks are generated using predefined rulesets that mutate dictionary entries in controlled ways. Common rules include capitalizing the first letter (e.g., "admin" to "Admin"), appending 2-4 digits at the end (e.g., "letmein" to "letmein99"), or replacing letters with similar symbols (e.g., "a" with "@" in "password" to "p@ssword"). These rules are often implemented in cracking software and can be customized based on observed patterns in leaked datasets, expanding a base of common words into millions of variations without exhaustively trying all possible combinations. The effectiveness of hybrid attacks significantly improves success rates against modified weak passwords; for instance, in an analysis of automatic cracking tools applied to breached passwords, a hybrid approach with optimized rules yielded a 51.87% success rate, outperforming basic methods. Computationally, hybrid attacks incur higher costs than pure attacks due to the expanded candidate set but remain far more efficient than full brute-force, as they prioritize likely variations over random trials. Hybrid attacks are particularly prevalent in offline scenarios, where attackers have obtained hashed password databases from breaches and can perform extensive computations without rate limits. A notable example involves the RockYou 2009 breach, which exposed over 32 million plaintext passwords and led to the creation of the wordlist; this list, when combined with hybrid rules, has been used to crack substantial portions of passwords in subsequent breaches. The key tradeoff in hybrid attacks lies in balancing broader coverage of user behaviors against increased resource demands, necessitating larger dictionaries or more sophisticated rulesets to maintain speed while maximizing hits. This makes them suitable for targeted offline cracking but less practical for real-time online attempts. While tables can precompute static hybrids for faster lookups, dynamic rule application in hybrids allows adaptation to evolving trends.

Tools and Implementation

Several popular open-source software tools are widely used for executing dictionary attacks as part of password auditing and penetration testing. Among these, and stand out for their robustness, flexibility, and community support, enabling users to perform dictionary-based cracking alongside other modes like rules and hybrids. These tools are primarily employed by professionals to assess the strength of password hashes, rather than for unauthorized access. John the Ripper, first released in 1996 by developer Solar Designer, is a versatile password cracker that supports dictionary attacks through its wordlist mode, where users supply a file of potential passwords to test against hashed values. It includes features such as mangling rules to generate variations from base words (e.g., appending numbers or symbols) and incremental modes that systematically try passwords based on patterns like length and character sets. The tool also offers GPU acceleration via in its community-maintained "jumbo" edition, allowing for faster processing on modern hardware. is cross-platform, running on systems, Windows, and macOS, and integrates seamlessly with popular wordlists such as the dataset from a 2009 breach or CrackStation's extensive dictionary. Hashcat, originally released in 2009 as an open-source tool under the , evolved from CPU-based cracking to emphasize GPU acceleration, becoming one of the earliest utilities to leverage graphics cards for password testing in the early . It supports attacks via straight wordlist mode and combinator attacks, which concatenate words from multiple lists, along with advanced rule-based mutations for hybrid approaches. Hashcat's performance is notable for its speed; for instance, on 3080 GPUs, it can achieve approximately 54 GH/s (giga-hashes per second) for hashes in benchmark tests. Like , it is multi-platform, compatible with , Windows, and macOS, and commonly pairs with dictionaries including and CrackStation for input. Both tools are designed for ethical applications in cybersecurity, such as assessments and educational purposes, with their developers emphasizing responsible use to improve policies rather than enable malicious activities.

Building a Dictionary

Building a for dictionary attacks involves compiling wordlists from various sources to maximize the likelihood of matching target . One primary source is public data leaks, such as the 2009 breach, which exposed approximately 32 million from user accounts on the social application platform. Subsequent compilations, such as RockYou2021 with 8.4 billion unique aggregated from multiple breaches and RockYou2024 with nearly 10 billion unique , have become standard resources for constructing even more comprehensive lists. These leaks provide real-world data that reflects common user choices, making them valuable for constructing effective lists. Another key resource is curated wordlists like the Electronic Frontier Foundation's (EFF) long wordlist, which contains 7,776 common English words selected for generation but adaptable for attack due to their memorability and prevalence in everyday language. Dictionaries can also be generated from standard language resources, such as English , or derived from user-specific data like names, dates, and personal information to simulate likely patterns. Customization enhances the dictionary's relevance to specific targets, increasing attack efficiency. For instance, in corporate environments, attackers may append or prepend organization-specific terms, such as company names or department abbreviations, to base words to target employee passwords. Tools like Crunch, a wordlist generator included in , facilitate this by creating variations based on user-defined character sets, lengths, and patterns, allowing for the production of tailored lists without manual enumeration. Attackers follow best practices to broaden dictionary coverage while managing computational resources. Effective lists incorporate multilingual terms to account for non-English users, leetspeak substitutions (e.g., replacing 'a' with '@' in "p@ssw0rd"), and common appendages like numbers or symbols derived from keyboard layouts. Size optimization is crucial; starting with a focused list of around 1 million entries balances comprehensiveness with speed, expanding iteratively based on initial results. The quality of a is often measured by its coverage of passwords observed in breaches. Analyses of leaked credentials show that simple terms like "" appear frequently, ranking among the top choices in large compilations of compromised accounts and contributing to a significant portion of successful attacks. For ethical and legal purposes, researchers source dictionaries exclusively from publicly available datasets to study vulnerabilities without engaging in unauthorized access, ensuring compliance with data protection laws.

Mitigation Strategies

Password Policies

Password policies are essential organizational and user-level measures designed to mitigate the success of dictionary attacks by promoting the creation of strong, non-predictable . These policies typically enforce a minimum of 15 characters for single-factor to increase the and make exhaustive guessing computationally infeasible, while banning common words such as "" or "123456" that frequently appear in attack . Additionally, requirements for mixing character types—such as uppercase letters, lowercase letters, numbers, and symbols—help deviate from standard entries, though recent guidelines emphasize over forced to avoid user frustration that leads to weaker choices. Standards like NIST Special Publication 800-63B, Revision 4 (July 2025), mark a pivotal shift toward usability-focused policies, recommending passphrases of 15 to 64 characters for single-factor without mandatory composition rules (e.g., no required uppercase or special characters) and screening new passwords against lists of commonly used or compromised ones to block dictionary matches. For , a minimum of 8 characters is permitted. This update discourages periodic password changes, as they often result in minor variations of old passwords that remain vulnerable to targeted dictionaries, prioritizing instead stable, memorable secrets that resist offline cracking. The historical evolution from pre-2010s emphasis on complexity rules—such as alternating character classes—to these length-centric approaches was influenced by reports like Verizon's Investigations Report, which consistently show that overly restrictive policies contribute to successes in breaches. User education forms a core component of effective policies, encouraging the adoption of unique, memorable passphrases like "correct horse battery staple" from the comic, which illustrates how four random words can yield high (approximately 44 bits) far exceeding complex short passwords. Training programs also raise awareness of dictionary sources, including leaked credential databases, urging users to avoid reusing passwords across sites and to verify exposures via services like . In corporate settings, these policies are implemented through tools like Microsoft Active Directory, which enforces domain-wide rules via Objects, including custom blacklists to reject dictionary words. Studies demonstrate that such comprehensive policies significantly reduce the proportion of crackable passwords; for instance, combining length requirements, blacklists, and pattern checks can lower offline attack success rates to under 12% at 10^14 guesses, compared to over 50% under weaker rules.

Technical Defenses

Technical defenses against dictionary attacks primarily involve cryptographic techniques to secure storage and transmission, as well as system-level mechanisms to limit attack feasibility. These measures focus on making offline cracking computationally expensive and online attempts inefficient or detectable. Key practices include adopting adaptive, memory-hard hashing algorithms that incorporate salting to thwart precomputed attacks. Hashing best practices emphasize the use of slow, computationally intensive algorithms to deter brute-force and dictionary-based cracking. , the winner of the 2015 , is recommended as the primary choice due to its resistance to GPU-accelerated attacks through memory-hardness, requiring significant RAM per hash computation. serves as a strong alternative for legacy systems, providing adaptive work factors to increase computation time. , while still usable in constrained environments, is generally deprecated for new implementations in favor of these more robust options. Each password must be hashed with a unique, randomly generated salt—at least 16 bytes long—to prevent attacks, as the salt ensures that identical passwords produce distinct hashes, rendering precomputed tables ineffective. For online protections, systems implement to cap login attempts, such as allowing no more than five attempts per minute per account or , thereby slowing dictionary attacks that rely on rapid trials. Progressive delays, where wait times double after each failure (e.g., 1 second after the first fail, escalating to minutes), further frustrate attackers without fully locking legitimate users. Account lockouts after a threshold, like 10 consecutive failures, temporarily suspend access for a period (e.g., 15-30 minutes) or require administrative intervention, effectively halting sustained online dictionary probes. These controls are often combined with challenges after a few failures to distinguish human users from automated scripts. Offline safeguards protect stolen credential databases from efficient cracking. Databases storing password hashes should be encrypted at rest using strong algorithms like AES-256 to add a layer of protection if the storage is compromised. Key derivation functions (KDFs), such as those in or , transform passwords into hashes with high iteration counts, making offline dictionary attacks time-prohibitive even on powerful hardware. (MFA) acts as an ultimate barrier, requiring a second factor (e.g., a time-based one-time password) even if the password is guessed or cracked offline, as it verifies possession of an additional authenticator. Monitoring enhances these defenses by enabling proactive responses to suspicious activity. Systems should log all failed login attempts, including timestamps, usernames, and source IPs, to facilitate analysis of patterns indicative of attacks, such as bursts from unfamiliar IPs. Anomaly detection tools can flag unusual behaviors, like login attempts from geographically distant locations or during off-hours. For instance, Fail2ban scans logs in real-time and automatically bans IPs exhibiting repeated failures, commonly applied to services like SSH to block dictionary-based brute-force efforts. The effectiveness of these measures is well-established: unique salting alone defeats tables by necessitating recomputation for each user, exponentially increasing attacker effort. , with parameters tuned for approximately 100ms computation time per hash on standard hardware, resists GPU cracking, where even high-end setups might achieve only thousands of hashes per second compared to millions for faster algorithms like MD5. When layered, these defenses—hashing with salting, , MFA, and monitoring—can reduce successful dictionary attack rates to near zero in practice.

References

  1. https://www.cisa.gov/resources-tools/resources/project-upskill-glossary
  2. https://www.neiu.edu/student-life/current-students/services-and-support/university-technology-services/information-security/glossary-of-information-security-terms
  3. https://pages.nist.gov/800-63-4/sp800-63b/passwords/
  4. https://www.open.edu/openlearn/mod/oucontent/view.php?id=48319&section=1.2
  5. https://www.paloaltonetworks.com/cyberpedia/dictionary-attack
  6. https://eng.umd.edu/news/story/study-hackers-attack-every-39-seconds
  7. https://pages.nist.gov/800-63-3/sp800-63b.html
  8. https://www.kaspersky.com/resource-center/definitions/what-is-a-dictionary-attack
  9. https://www.verizon.com/business/resources/reports/dbir/
  10. https://heimdalsecurity.com/blog/password-breach-statistics/
  11. https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/topic7-final/report.pdf
  12. https://cs.brown.edu/courses/csci1660/old/2024/files/notes/s24/lec06-notes.pdf
  13. https://inst.eecs.berkeley.edu/~cs161/sp18/slides/2.20.passwords.pdf
  14. https://www.hivesystems.com/blog/are-your-passwords-in-the-green
  15. https://rublon.com/blog/brute-force-dictionary-attack-difference/
  16. https://www.researchgate.net/publication/384095412_A_Comparative_Study_Between_Two_Cybersecurity_Attacks_Brute_Force_and_Dictionary_Attacks
  17. https://jetpack.com/resources/brute-force-vs-dictionary-attack/
  18. https://securelist.com/password-brute-force-time/112984/
  19. https://nordpass.com/most-common-passwords-list/
  20. https://kzero.com/resources/guides/cyberattack/dictionary-attack/
  21. https://identitymanagementinstitute.org/7-hacking-password-attack-methods/
  22. https://www.onelogin.com/learn/6-types-password-attacks
  23. https://powerdmarc.com/password-attacks/
  24. https://www.authx.com/blog/brute-force-vs-dictionary-attack/
  25. https://www.csoonline.com/article/569677/what-is-a-dictionary-attack-and-how-you-can-easily-stop-them.html
  26. https://owasp.org/www-community/attacks/Brute_force_attack
  27. https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
  28. https://pages.nist.gov/800-63-4/sp800-63b/security/
  29. https://www.congress.gov/crs_external_products/RL/PDF/97-1025/97-1025.17.pdf
  30. https://arxiv.org/pdf/1411.7803
  31. https://jumpcloud.com/it-index/what-is-offline-password-cracking
  32. https://hashcat.net/hashcat/
  33. https://www.iacr.org/archive/crypto2003/27290615/27290615.pdf
  34. https://www-ee.stanford.edu/~hellman/publications/36.pdf
  35. https://infoscience.epfl.ch/bitstreams/37cd827e-c3a6-4ba3-b68f-8ab7669b4449/download
  36. https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
  37. https://www.oig.dhs.gov/sites/default/files/assets/Mgmt/rOIG_05-03_Nov04.pdf
  38. https://www.researchgate.net/profile/Leon-Bosnjak/publication/326700354_Brute-force_and_dictionary_attack_on_hashed_real-world_passwords/links/5c6b6504a6fdcc404ebadec1/Brute-force-and-dictionary-attack-on-hashed-real-world-passwords.pdf
  39. https://unitesi.unive.it/retrieve/694bb058-2d2d-41a3-ba0d-5d89984ca6ad/865112-1268422.pdf
  40. https://www.theguardian.com/technology/blog/2009/dec/15/rockyou-hacked-passwords
  41. https://www.openwall.com/john/
  42. https://www.csoonline.com/article/569533/john-the-ripper-explained-an-essential-password-cracker-for-your-hacker-toolkit.html
  43. https://github.com/openwall/john
  44. https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
  45. https://hashcat.net/wiki/doku.php?id=hashcat
  46. https://github.com/hashcat/hashcat
  47. https://horkan.com/2025/01/07/the-history-and-evolution-of-password-cracking-software
  48. https://gist.github.com/Chick3nman/bb22b28ec4ddec0cb5f59df97c994db4
  49. https://hashcat.net/forum/thread-13330.html
  50. https://www.reuters.com/article/business/rockyou-hack-exposes-names-passwords-of-30m-accounts-idUS1102748863/
  51. https://enzoic.com/blog/rockyou2021/
  52. https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/
  53. https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases
  54. https://www.kali.org/tools/crunch/
  55. https://pages.nist.gov/800-63-4/sp800-63b.html
  56. https://www.lepide.com/blog/active-directory-password-policy-guide/
  57. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B-4.pdf
  58. https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf
  59. https://xkcd.com/936/
  60. https://users.ece.cmu.edu/~lbauer/papers/2016/tissec2016-password-policies.pdf
  61. https://password-hashing.net/
  62. https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
  63. https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html
  64. https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html
Add your contribution
Related Hubs
User Avatar
No comments yet.