Questions tagged [dictionary]

A dictionary is a list of possible or common password that are used to crack passwords in a brute force attack. Such an attack is known as a dictionary attack.

81 questions
139
votes
9 answers

Where can I find good dictionaries for dictionary attacks?

I’m wondering where I can find good collections of dictionaries which can be used for dictionary attacks? I've found some through Google, but I’m interested in hearing about where you get your dictionaries from.
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
40
votes
1 answer

How does the attacker know what algorithm and salt to use in a dictionary attack?

I am curious about password cracking methods like dictionary and brute force attacks. Nowadays passwords are stored as hashes and not plaintext on the server. Then how can the plaintext passwords in the dictionary be compared with the hashes in the…
andjava
  • 578
  • 1
  • 5
  • 7
36
votes
7 answers

Is it possible to improve brute-force guessing of a password with a picture of the keyboard used to enter it?

Is it a bad idea to post a photo of your keyboard to social media? Can I look at a photo of a keyboard and determine the password of an account? Assuming a certain (set of) password(s) is the most commonly typed character sequence on a given…
24
votes
7 answers

After a password leak, is there a Levenshtein distance from which one a newly derivated password can be considered safe?

After a password leak, is there a Levenshtein distance from which one a newly derivated password can be considered safe? I assume yes, given that if e.g. the word was "password", and the new one is "drowssap", the distance is 8 and we have a "new"…
kaiya
  • 422
  • 1
  • 3
  • 11
22
votes
5 answers

How to generate dictionary for a dictionary attack?

I need to crack my own password. Advantage is that I know possible characters and maximum length. What I need is to create a dictionary. The dictionary should contain all the combos of characters that I choose (for example I don't need word list…
RhymeGuy
  • 323
  • 1
  • 2
  • 5
20
votes
4 answers

Wordlists on Kali Linux?

I notice that in /usr/share/wordlists in Kali Linux (former Backtrack) there are some lists. Are they used to bruteforce something? Is there specific list for specific kind of attacks?
Stephenloky
  • 383
  • 1
  • 4
  • 16
18
votes
3 answers

What are the differences between dictionary attack and brute force attack?

Can someone explain the major differences between a Brute force attack and a Dictionary attack. Does the term rainbow table has any relation with these?
Anandu M Das
  • 1,981
  • 14
  • 31
  • 46
14
votes
6 answers

How can I generate custom brute-force dictionaries?

I have found during testing that companies often use variations of their names for critical passwords (for example Microsoft's password might be M1cr0s0f+ or m1cros0ft etc etc). So if I gave it the phrase "stack exchange' it would ideally compute as…
NULLZ
  • 11,426
  • 17
  • 77
  • 111
13
votes
5 answers

Defense against attacks using dictionaries

Some forms of attacks on passwords use dictionaries. It is safer to use nonsense passwords like YunSUanLin, Artibichoke, etc., which do not seem to pertain to any dictionary?
Albert
  • 131
  • 1
  • 4
11
votes
9 answers

Wifi penetration testing: Why aireplay-ng de-authentication does not work?

I am trying to pentest the security of the password of my wireless network. It is a WPA2 with pre-shared-keys. My current computer is connected to the wifi router and I try to de-auth my own machine. Steps 1) I created a monitoring interface: sudo…
Jon
  • 513
  • 1
  • 4
  • 11
9
votes
3 answers

Which is faster - brute-forcing, or using a dictionary attack that contains all possible permutations?

Assuming a 6-character password uses the mixalphanumeric charset, giving each character a character set of 62 and the entire password a keyspace of 62^6 = 46.6 billion (if my calculations are correct)... Would it be faster to brute-force the…
Hashim Aziz
  • 969
  • 8
  • 21
7
votes
4 answers

Password list generation

I've found during a lot of recent pen-tests that companies will use passwords like c0mp4ny@b( for a company called "company abc" Is there any quick and easy way to generate a list of passwords based on as many possible 'leet speak' letters? So the…
NULLZ
  • 11,426
  • 17
  • 77
  • 111
6
votes
2 answers

XKCD-like passphrases to stdout

I'm trying to find a way to crack XKCD-like passphrases (correcthorsebatterystaple) from word dictionaries. Basically concatenate X number of words from a dictionary file. Right now it honestly doesn't look like there is an easy way. After the XKCD…
6
votes
3 answers

Is applying AES multiple times safer?

The KeePass security help page talks about preventing dictionary attacks To generate the final 256-bit key that is used for the block cipher, KeePass first hashes the user's password using SHA-256, encrypts the result N times using the Advanced…
kutschkem
  • 666
  • 5
  • 11
6
votes
5 answers

Password guessing: Is it more effective to try many passwords against a few accounts or a few (very common) passwords against many accounts?

I was watching a security vid on Irongeek the other day (I immediately lost track of which specific vid, unfortunately) where the creator gave some interesting advice about doing live password guessing against a remote machine during a pen test. The…
mostlyinformed
  • 2,715
  • 16
  • 38
1
2 3 4 5 6