To authenticate to a website, you better provide a username and password.
If the details match, access is granted.
If the details dont match, access is denied.
Unfortunately, data breaches are a relatively common occurrence.
Its as if they were handed a keyring with the key to every door in an apartment building.
A hash function is a one-way function that always converts the same input into the same output.
Even a minor change in input, however, produces an entirely different output.
If it does you know the password matched, without ever knowing the actual password.
To be able to use these hashes they need to be cracked.
Because theres no way to reverse the hash function and turn the hash into the password.
The only way to crack a hash is to guess the password.
One method is to use a brute force attack.
This literally involves trying every possible password.
That means starting from a, trying every letter, in both cases, and every number and symbol.
Then the attacker needs to try all two-character combinations, three-character combinations, and so on.
The increase in possible combinations of characters is exponential each time you add a character.
The problem with brute force attacks is that theyre not very smart.
A dictionary attack is a variant that is much more targeted.
Instead of just trying any possible password, it tries a list of specified passwords.
Making educated guesses
Password dictionaries typically are built from previously cracked passwords from other data breaches.
These dictionaries can contain thousands or millions of entries.
This builds on the concept that people are bad at creating unique passwords.
Evidence from data breaches does show this to be the case too, unfortunately.
People still use variations on the word password.
This last one specifically tends to happen when people are forced to regularly change their passwords.
The approach proves successful as well.
Success rates can be raised even further with word mangling algorithms.
These algorithms take each word in the password dictionary and then modify it a bit.
These modifications tend to be standard character replacements and adding trailing numbers or symbols.
Word mangling algorithms create duplicates of each entry in the password dictionary.
Each duplicate has a different variation of these character replacements.
Conclusion
A dictionary attack is a targeted variation of a brute force attack.
Rather than attempting all possible character combinations, a subset of character combinations is tested.
A dictionary attack doesnt have as high a success rate as a brute force attack.
That, however, assumes you have unlimited time and processing power.
A dictionary attack tends to get a decently high success rate much faster than a brute force attack can.
This is because it doesnt waste time on extremely unlikely combinations of characters.
One way to do that is to make a complex password, another is to make a long password.
Generally, the best option is to make a long password made up of a few words.
Its just important that those words dont make an actual phrase as that might be guessed.
They should be completely unrelated.
Its recommended that you choose a password over 10 characters with 8 as the absolute bare minimum.
