Dictionary attack
A dictionary attack is form of lookup attack used to crack passwords even when the passwords have been obscured with a hash function. The attack is conducted by first obtaining the hashed passwords, then comparing them against the hashes in a dictionary (a table of popular passwords that have already been hashed using the same function). For example, in the table below, some commonly used passwords have been sent through an MD5 hash function. The result is a long string of hexadecimal values that cannot be reversed back to their original passwords. However, even though they can't be reversed, it's still possible to determine what they are by running your own hash and comparing the results.
Password | MD5 Hash |
---|---|
abc123 | E99A18C428CB38D5F260853678922E03 |
admin | 21232F297A57A5A743894A0E4A801FC3 |
god | A4757D7419FF3B48E92E90596F0E7548 |
password | 5F4DCC3B5AA765D61D8327DEB882CF99 |
password1 | 7C6A180B36896A0A8C02787EEAFB0E4C |
secret | 5EBE2294ECD0E0F08EAB7690D2A6EE69 |
Note that MD5 is not a cryptographically secure hash function and should never be used to store password.
Dictionary attacks are made more difficult to use if the hash function employs a salt value, but the if the salt value is discovered, the dictionary can be regenerated with the same salt.
Links
- en.wikipedia.org/wiki/Dictionary_attack - Wikipedia.