What is a dictionary attack?
A dictionary attack is a method of breaking into a password-protected computer, network or other IT resource by systematically entering every word in a dictionary as a password. A dictionary attack can also be used in an attempt to find the key necessary to decrypt an encrypted message or document.
Dictionary attacks work because many computer users and businesses insist on using ordinary words as passwords. These attacks are usually unsuccessful against systems using multiple-word passwords and are also often unsuccessful against passwords made up of uppercase and lowercase letters and numbers in random combinations.
In systems with strong password requirements, the brute-force method of attack, in which every possible combination of characters and spaces is tested up to a certain maximum length, can sometimes be effective. However, a brute-force attack can take a long time to produce results.
Strong, randomized passwords cannot be easily predicted, and they are highly unlikely to be included in the predetermined password library. Because a dictionary attack's guess attempts are limited to a preselected list, it is essentially impossible to crack nonpredictable passwords.
How do dictionary attacks work?
A dictionary attack uses a preselected library of words and phrases to guess possible passwords. It operates under the assumption that users tend to pull from a basic list of passwords, such as "password," "123abc" and "123456."
These lists include predictable patterns that can vary by region. For example, hackers looking to launch a dictionary attack on a New York-based group of targets might look to test phrases like "knicksfan2020" or "newyorkknicks1234." Attackers incorporate words related to sports teams, monuments, cities, addresses and other regionally specific items when building their attack library dictionaries.
These lists aren't as extensive as those of other brute-force attacks, but they can become quite large. Processing and testing all these passwords manually is not a practical approach. Therefore, additional technology is typically required to speed up the process. Attackers use supporting programs, such as password dictionaries or other brute-force attack tools.
How dictionary attacks are conducted depends on whether the account, network or device the attacker is logging into is online or offline. In an online attack, the attacker must be mindful of the number of attempts they can use to guess the correct password. Past a certain number of tries, a site administrator, account manager, user or intrusion detection system may detect the attack, or a password attempt limit may come into play. If any of those scenarios happen, the system can lock the attacker out.
Dictionary attacks with a shorter prioritized list of likely passwords can be more successful. Sophisticated hackers may also be able to disable the detection features or password attempt limits.
For offline attacks, a hacker has few restrictions when it comes to the number of passwords they can try. However, executing an offline attack requires access to the password storage file from the system. Only then can a dictionary attack be launched in an offline setting.
Find out more about passwordless authentication methods
Brute-force attack vs. dictionary attack
The main difference between a brute-force attack and a dictionary attack is the number of password permutations that are attempted.
A brute-force attack will typically use a systematic approach to try all possible passwords. This can take a significant amount of time to complete.
A five-digit combination lock provides a familiar, nontech example of the difference. Using a brute-force approach, an attacker would attempt every possible permutation available for the five-digit lock. A five-digit lock with individual values from zero to nine has exactly 100,000 possible permutations.
A dictionary attack will use a list of likely passwords in its attempts to break into system. These attacks are more focused than brute-force attacks. Rather than trying to input every possible permutation, an attacker using a dictionary approach would attempt all the permutations in its predetermined library.
Sequential passcodes, like "12345," and static passcodes, like "00000," would be tested. If the five-digit permutation is particularly unique, the dictionary attack likely would not guess it. Like phishing attacks, dictionary attacks assume that a reasonable percentage of the users or accounts they target will be vulnerable and will have an easily identifiable five-digit passcode.
How to protect yourself against a dictionary attack
Vulnerability to password or decryption key assaults can be reduced to near-zero by limiting the number of attempts allowed within a given period and by wisely choosing passwords or keys. An approach that will render a system immune to dictionary attacks and practically immune to brute-force attacks requires the following three conditions:
- allows only three password attempts;
- requires a period of 15 minutes to elapse before the next three attempts are allowed; and
- the password or key is a long, meaningless jumble of letters, numerals and special symbols.
Email spammers often use a form of dictionary attack. A message is sent to email addresses consisting of words or names, followed by the @ symbol and the name of a particular domain. Long lists of given names, such as Frank, George, Judith or Donna, or individual letters of the alphabet followed by surnames, such as csmith, jwilson or pthomas, in combination with a domain name, are usually successful.
How effective is a dictionary attack?
How successful a dictionary attack is depends on how strong the passwords are for the individuals a hacker is targeting. Because weak passwords are still common, attackers continue to have success with these attacks. Individual users, however, aren't the only ones who are subject to weak password security.
The massive SolarWinds data breach was executed using a dictionary attack. Russian-backed hackers were able to log in to SolarWinds' update server by correctly guessing the administrator password, "solarwinds123," and then planting a backdoor that was activated when SolarWinds customers updated their software.
As long as passwords remain simple and predictable, dictionary attacks will be effective. NordPass ranked the top 200 passwords in order of popularity for 2020. The highest-ranked password, with 2,543,285 occurrences, was "123456." Other high-ranking passwords in the top 10 included "picture1" and "password." Lists like this that are published or leaked are incorporated into the password libraries that dictionary attackers use.
Learn more about the latest thinking on password length and security.