Industry guru Dave Taylor offers free tech support on a wide variety of technical and business topics, including HTML, online advertising, Cascading Style Sheets, Web design, management, Unix, Linux, search engine optimization, online dating, Mac OS X, shell script programming and Microsoft Windows.

What's a dictionary attack?

Dave, our IT people just sent out a note warning about "dictionary attacks" on our server, but I really have no idea what a dictionary attack is. Can you enlighten me?

Dave's Answer:

The first time I heard this phrase, I have to admit that I had visions of mad academics chasing after innocent people, hurling weighty tomes and yelling obscure and polysyllabic imprecations, but it turns out that a dictionary attack is much more plebeian and mundane.

There are really two different kinds of dictionary attacks that I know of, actually, so let's start with the simpler: hackers know well that most people do a terrible job of picking passwords, so if they can figure out what account names to try, they can use a program to automatically try thousands of different possible passwords to break into accounts remotely.

For example, if you were to look at my email and determine that my account name is taylor and that my server was intuitive.com, then you could ostensibly feed a dictionary of common names, for example, to try and log in to my server, from Aaron to Zebediah, hoping that I have a simple password.

That's a login dictionary attack.

The other, perhaps more common dictionary attack, is one that spammers use: if you know that my mail server is intuitive.com and that email addresses are simply something at that domain name, then one brute force way to figure out what email addresses are valid on my server is to send a message to every possible address and see which ones bounce.

That's an email dictionary attack.

Anyway, when your IT people are talking about dictionary attacks, you should read that as a reminder to make sure you have good, complex passwords and that you should not have a mail system with "catch all" addresses, where any mail sent to an unknown destination get automatically delivered.



Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Stumble Upon    
Categorized: Computer and Internet Basics   (Article 4044)
Tagged:
Previous: What's business ERP?
Next: Can't add signature to Apple Mail.app in Mac OS X Tiger?

Subscribe!

Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader.

Comments

Dave,

I just received this message from Apple Engineering:

"However we can see that the customer is under a dictionary attack. This needs to be addressed post haste. This can cause issues with Directory Services."

How, exactly, might one go about addressing dictionary attacks? We're seeing brute force authentication attempts from all over, typically from Asia and Europe. I don't know what some Korean or French guy thinks he's going to do with anything he might find. Since I have to have certain services available for my remote users, such as email, file sharing and a database server, how can I lock these guys out?


Thanks,
Patrick

Posted by: Patrick at July 31, 2008 9:05 AM

I have a lot to say, but ...
Starbucks coffee cup I have a lot to say, and questions of my own for that matter, but most of all I'd like to say thank you for all your efforts on this Web site by buying you a chai!

I do have a comment, now that you mention it!









Remember personal info?


Please note that I will never send you any unsolicited commercial email. Ever.

While I'm at it, please note that by submitting a question or comment you're agreeing to my terms of service, which are: you relinquish any subsequent rights of ownership to your material by submitting it on this site.









Uniblue: Free Virus Scan

Search
Find just the answers you seek from among our 2000+ free tech support articles by using our Lijit search engine.


Help!
Ask Dave for Help!




Link To Dave!
• Buy Dave a Cuppa •
Media Queries

Subscribe to
Ask Dave Taylor!

Add to Google Reader
Add to My Yahoo!
Subscribe in NewsGator Online

RDF   XML

Free Updates!
Sign up and get free weekly updates and special offers on books, seminars, workshops and more.

Complete Archives

Recent Entries
Join the List!
Join my author info mailing list, where you'll learn about my upcoming books, speaking gigs, and more!


Book Links
CIG Growing Your Business with Google
Creating Cool Web Sites
Wicked Cool Shell Scripts
Learning Unix for Mac OS X Panther
Solaris 9 for Dummies
Teach Yourself Unix System Administration in 24 Hours
Teach Yourself Unix in 24 Hours
Creating Cool HTML 4 Web Pages
Dynamic HTML Weekend Crash Course
film blog - social media / blogging speaking - business blog - Colorado photography - free tech support
© 2002 - 2009 by Dave Taylor. All Rights Reserved.

Note: This web site is for the purpose of disseminating information for educational purposes, free of charge, for the benefit of all visitors. We take great care to provide quality information. However, we do not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this web site or on any linked site.

[whiteboard marker tray]
"Ask Dave Taylor®" is a registered trademark of Intuitive Systems, LLC.