A dictionary attack is the most straightforward type of automated password attack. A password cracking tool goes through a list of words until it either finds the password or exhausts the list. The hope is that the list is large enough to contain the password. Since most users choose simple, easy-to-remember passwords, chances are excellent that many common passwords can be found in the list. Security researchers have spent years collecting and collating wordlists. Some online websites, under the guise of password strength testing, actually collect passwords from visitors to add to these lists.
There are practical limits to using a dictionary attack. You must first know the user name. Some password crackers include lists of common user names, including administrator-type accounts. Password lists can become unwieldy in size. A list of 1.5 billion words is about 15 GB (uncompressed) in size. This may be difficult for the password cracker (or its system) to load or manage. Most systems have policies that lock out a user after only a few wrong password attempts. There are several techniques you can use to bypass the limits. These include:
- Stealing a copy of the file or database that contains the user credentials, and attempting to crack the passwords offline.
- Inducing the system to "dump" its passwords (in hashed format) so that you can crack them offline.
- Intercepting a network authentication and sending the intercepted login hash to the password cracker.
- Running the password cracker against a network service that does not have a lockout policy.
- Running the password cracker against a user account such as administrator or root that is exempt from a lockout policy.
Offline Password Attacks
Not all password attacks are conducted across the network. An offline password attack is one in which the cracker does not try to log in to the target system. Instead, a copy of the file that contains user names and passwords (such as /etc/shadow in Linux or the SAM database in Windows) is stolen from the system. The attacker then runs the crack on their own machine against this file. An alternative to stealing the entire file is to get the system to display (dump) all of the credentials in their encrypted (hashed) format, take a copy of the dump, and then subject it to the cracker.