December 04, 2001, 12:00 AM — Password attack is a generic term used to describe various activities
attempting to crack, alter, delete, or tamper with a system's password
database in order to break into it or jeopardize its security. A
dictionary attack, however, is a special type of password attack. It
attempts to "reverse engineer" users passwords on a given machine.
How does a dictionary attack actually work?
Linux uses the DES algorithm, which is not invincible, to encrypt
users' passwords. As Linux requires relatively short passwords, users
often choose passwords that are easy to guess. A dictionary attack
takes advantage of these factors in order to crack passwords.
Attackers use a dictionary, or a list of words, and encrypt them using
the DES algorithm. A typical word list might contain the entire Webster
dictionary or similar corpuses of nouns, adjectives, and proper names.
Sophisticated software tools, such as Crack, manipulate the words in a
dictionary by reversing and chopping them, affixing numbers to their
ends, changing letters' case, etc.... Crack can transform each word
into no less than 4096 distinct strings! After generating all the
permutations, the password-cracking tool encrypts them using the DES
algorithm and compares the result with the list of encrypted passwords
located at /etc/passwd on the target host. Using a fast machine and
clever password-cracking tools, cracking a password takes a matter of
How can you protect your system from such dictionary attacks?
As always, avoid passwords that are too easy to guess. Several
utilities enable a system administrator to enforce strict password
policies by disabling short passwords or disabling nouns and proper
names altogether. A password that consists of a combination of random
letters, special characters, and numbers is less susceptible to
dictionary attacks. Remember to also change passwords frequently.
Finally, use additional user authentication means and protection
measures such as disabling inactive accounts, intrusion detection
utilities, and restricted authorizations.