How effective is a straight dictionary attack?
To crack hashed passwords effectively, you need a good toolbox. If you are using dictionary based attacks, you need a good dictionary. Usually it's a good idea to tailor your dictionary to the specific attack you are performing (an article on this topic might be coming). One of my stated goals is to analyze dictionaries and figure out what makes them good or bad. Hopefully, that will help in the effort to build even better dictionaries and dictionary strategies, that we all can put in our toolbox.
This article is a very small step towards that goal. I've taken five well-defined dictionaries and compared them against two relatively famous password leaks in an effort to start looking at what you can expect from a straight dictionary attack. (I expect to add on to this information in later efforts.)
Methodology and data
You can read more about the dictionaries and password leaks on this overview page, or by clicking an individual leak or dictionary below. Dictionaries and passwords were imported into a MySQL database, and SQL queries were used to generate the following data:
| Dictionary | Dictionary size | Total hits in RockYou | Unique hits in RockYou | Total hits in phpBB | Unique hits in phpBB |
|---|---|---|---|---|---|
| Facebook firstnames | 4347667 | 9038856 | 714583 | 78920 | 35329 |
| Facebook lastnames | 5369437 | 8787491 | 646361 | 80692 | 36214 |
| John The Ripper | 3546 | 4401593 | 3536 | 37613 | 3016 |
| Cain & Abel | 306706 | 5125588 | 54636 | 52829 | 12361 |
| Wiktionary | 2889865 | 3907754 | 132986 | 47640 | 16762 |
| All of the above combined (duplicates removed) | 11234297 | 10893424 | 953455 | 100710 | 42941 |
Each individual dictionary does not contain duplicates. Duplicates between the dictionaries were removed in the combined dictionary when generating it.
What percentage of user accounts can be cracked using a straight dictionary attack?
RockYou 
phpBB 
Combining all dictionaries into one gave the following results:
- 10893424 total hits for RockYou (33.41 % of all passwords)
- 100710 total hits for phpBB (39.43 % of all passwords)
What percentage of unique passwords can be cracked using a straight dictionary attack?
RockYou 
phpBB 
Combining all dictionaries into one gave the following results:
- 953455 unqiue hits for RockYou (6.65 % of all unique passwords)
- 42941 unique hits for phpBB (23.29 % of all unique passwords)
What percentage of dictionary words were helpful in cracking passwords?
These two charts show what percentage of words in each dictionary was found in the leaks.
RockYou 
phpBB 
The combined dictionary with duplicates removed had 11234297 words. That's a 8.48 % hitrate on RockYou, and a 0.38 % hitrate on phpBB.
Conclusions
I don't want to draw any conclusions from such a small sample size, but at a minimum we can see that it would have been possible possible to crack more than a third of the user accounts in both leaks using five easy-to-get dictionaries.
As a side note, it's pretty cool to see how the small John The Ripper dictionary really is effective in going after the low hanging fruit. Using only it's 3546 words we found 4401593 passwords in RockYou. That's 13.50 % of all the RockYou user accounts, and 1241 times the number of words in the dictionary.
It's certainly going to be fun to build on this information later with more dictionaries, more passwords, and to apply the dictionaries to other dictionary based attacks like rule attacks and hybrid attacks.
