Legal disclaimer >>> The information on this site is intended to be used for legal and ethical purposes like research, education, journalism and educating the public. Our intention is to comply with any and all applicable laws. If you can provide legal advice, please let us know.

Contribute >>> Have new or missing information? See something wrong? Use the comment section at the bottom of all pages, email or Twitter.

Stay up to date >>> Follow us on Twitter.

How effective is a straight dictionary attack?

To crack hashed passwords effectively, you need a good toolbox. If you are using dictionary based attacks, you need a good dictionary. Usually it's a good idea to tailor your dictionary to the specific attack you are performing (an article on this topic might be coming). One of my stated goals is to analyze dictionaries and figure out what makes them good or bad. Hopefully, that will help in the effort to build even better dictionaries and dictionary strategies, that we all can put in our toolbox.

This article is a very small step towards that goal. I've taken five well-defined dictionaries and compared them against two relatively famous password leaks in an effort to start looking at what you can expect from a straight dictionary attack. (I expect to add on to this information in later efforts.)

Methodology and data

You can read more about the dictionaries and password leaks on this overview page, or by clicking an individual leak or dictionary below. Dictionaries and passwords were imported into a MySQL database, and SQL queries were used to generate the following data:

Leak Total passwords Unique passwords
RockYou 32603145 14344173 (44.00 %)
phpBB 255421 184389 (72.19 %)
Dictionary Dictionary size Total hits in RockYou Unique hits in RockYou Total hits in phpBB Unique hits in phpBB
Facebook firstnames 4347667 9038856 714583 78920 35329
Facebook lastnames 5369437 8787491 646361 80692 36214
John The Ripper 3546 4401593 3536 37613 3016
Cain & Abel 306706 5125588 54636 52829 12361
Wiktionary 2889865 3907754 132986 47640 16762
All of the above combined (duplicates removed) 11234297 10893424 953455 100710 42941

Each individual dictionary does not contain duplicates. Duplicates between the dictionaries were removed in the combined dictionary when generating it.

What percentage of user accounts can be cracked using a straight dictionary attack?

RockYou      phpBB

Combining all dictionaries into one gave the following results:

  • 10893424 total hits for RockYou (33.41 % of all passwords)
  • 100710 total hits for phpBB (39.43 % of all passwords)

What percentage of unique passwords can be cracked using a straight dictionary attack?

RockYou      phpBB

Combining all dictionaries into one gave the following results:

  • 953455 unqiue hits for RockYou (6.65 % of all unique passwords)
  • 42941 unique hits for phpBB (23.29 % of all unique passwords)

What percentage of dictionary words were helpful in cracking passwords?

These two charts show what percentage of words in each dictionary was found in the leaks.

RockYou      phpBB

The combined dictionary with duplicates removed had 11234297 words. That's a 8.48 % hitrate on RockYou, and a 0.38 % hitrate on phpBB.

Conclusions

I don't want to draw any conclusions from such a small sample size, but at a minimum we can see that it would have been possible possible to crack more than a third of the user accounts in both leaks using five easy-to-get dictionaries.

As a side note, it's pretty cool to see how the small John The Ripper dictionary really is effective in going after the low hanging fruit. Using only it's 3546 words we found 4401593 passwords in RockYou. That's 13.50 % of all the RockYou user accounts, and 1241 times the number of words in the dictionary.

It's certainly going to be fun to build on this information later with more dictionaries, more passwords, and to apply the dictionaries to other dictionary based attacks like rule attacks and hybrid attacks.

Print/export