Dictionary attack and a Brute force attack?

Home » Computer Networking » Dictionary attack and a Brute force attack?
Computer Networking No Comments

What is the difference?

Other answer:


Bad guys build a hash database with all the possible passwords up to about 8 characters. They dump dictionaries into the algorithm and store those hashes as well. They can do many many dictionaries this way as a 4 TB hard drive is barely $100.

Here is an example if what they put in the database

Your Hash: 0ebc023809ed7599d47070f449fc90f1
Your String: Ardvark

That is the depreciated (don't use) MD5 algorithm. If some stolen hash is that, Ardvark will open it.

They also mine the web for other passwords and run that through the hash and put the answer in the database. Then when they get the password database from some site, it ONLY contains those hashes. The bad guys look that hash up in their database to find that Monkey123 or whatever is your password.

Brute Force

They start with all the one character passwords, then move on to two characters, trying every single possibility. If you choose a good, long password, it is essentially uncrackable as the hash is 128 bits and has more combination than anyone can compute.

To thwart a dictionary attack, users should not use a common words etc. Site owners should implement something called SALT. Add a string of gobbledygook to the end of a users password. This string needs to be unique for every user.

A dictionary attack is based on real words or phrases, possibly with the addition of some numbers. A WPA/WPA2 pass phrase can be made up of 8 to 63 characters. If you create a pass phrase of 63 characters purely from the upper and lower case letters, numbers and spaces, and do not necessarily use real words, then there are around 2.3*10^113 different pass phrases. This is obviously more than if phrases are made up only of real words.

However, if you extend this to all 95 normal printable characters (upper & lower case letters, numbers, punctuation, other symbols and spaces) then a 63 character pass phrase can have nearly 4*10^124.

If we take the 2.3*10^113 phrases above as the basis of the dictionary attack, and the full 4*10^124 as the basis of a brute force attack, then there are around 173 billion times as many possibilities for a 63 character brute force attack than there would be for a dictionary attack.

A pass phrase based on the full 95 character set and of lengths of 8 to 63 and not just the 63 characters I used in the examples above. If you pick a good pass phrase that uses punctuation and unreal words with mixtures of upper and lower case letters and other symbols. then a true dictionary attack will not find the exact pass phrase, and a brute force attack is the attack that is needed. As the brute force attack has many billion times more possibilities it will take many billion times longer to complete.

In comparison, a 5-character WEP password might have only a billion different possibilities.

A dictionary attack is much faster, but as it only uses a subset of the possibilities for the pass phrase, it might not find the correct phrase. A brute force attack takes a lot longer but will eventually find the correct phrase.

I hope this helps.

Dictionary attack is based on trying all the strings in a pre-arranged listing, typically derived from a list of words such as in a dictionary (hence the phrase dictionary attack). In contrast to a brute force attack, where a large proportion of the key space is searched systematically, a dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords, or simple variants obtained, for example, by appending a digit or punctuation character. Dictionary attacks are relatively easy to defeat, e.g. by choosing a password that is not a simple variant of a word found in any dictionary or listing of commonly used passwords.

Source: Wikipedia

One spams junk the other spams words.