Daily Archives: January 30, 2006

Dictionary Attacks: “8@d P@55\/\/0rDz” Part 2

One of the most common ways of protecting access to information or a computer account is with a username and a password. If someone wants to try to gain access to your account, the username is often quite easy to guess (email address, for example) so all they might need to figure out is the password.

One method of cracking the password is with a login dictionary attack.

With this kind of attack, software consecutively tries words from a list in a dictionary file (also known as a wordlist). While other attacks, like brute force attacks, are also effective, in real life, dictionary attacks succeed so often because people base their passwords on short, easy to remember words. The larger the dictionary file, the better the chance the attack will succeed.

While a research attack requires some basic knowledge of a person or system, a dictionary attack can be effective without any starting point. However, if you know that someone speaks French, English, and Spanish, you can load up those three dictionaries as a starting point, effectively narrowing your focus to relevant choices.

You can easily find dozens human language dictionaries for these types of attacks in minutes. Why did I say human? There are also Vulcan, Klingon, and other non-human dictionaries available. Actually, word lists go way beyond basic language dictionaries. Celebrities, aircraft, cars, brand names, sports terms, model numbers, jargon, and pretty much anything else that someone might use for a password has been thought up and added to a word list.

Better attack software might also do character manipulation. It’s common practice for people to substitute the number zero for the letter o, for example, or the number one for the letter l.

The software might try:

  • dig, Dig, DIg, DIG, dIG, diG , dIg
  • dog, Dog, DOg, DOG, dOG, doG, dOg
  • dug, Dug, DUg, DUG, dUG, duG, dug

as well as:

  • d1g, D1g, D1g, D1G, d1G, d1G , d1g
  • d0g, D0g, D0g, D0G, d0G, d0G
  • dvg, Dvg, Dvg, DvG, dvG, dvG
  • dVg, DVg, DVg, DVG, dVG, dVG
  • d19, D19, D19, D19, d19, d19 , d19
  • d09, D09, D09, D09, d09, d09
  • dv9, Dv9, Dv9, Dv9, dv9, dv9, dv9
  • di9, Di9, DI9, DI9, dI9, di9 , dI9
  • do9, Do9, DO9, DO9, dO9, do9, dO9
  • du9, Du9, DU9, DU9, dU9, du9, du9

Common character substitutions include:

A 4 B 8 E 3 g 9 T 7 V \ /
i 1 L 1 O 0 S 5 M / \ / \ W \ / \ /

Also, decent word lists will contain common (and not so common) misspellings. They will also contain keyboard patterns (asdf, qwerty) and common variations of any known pattern of characters that people tend to use.

Tip: don’t use words based on any kind of dictionary, even if you purposely misspell or manipulate the characters.