Dictionary Attack

What is a Dictionary Attack?

A dictionary attack is a brute force attack that aims to gain access to user accounts by using commonly used phrases or words in a dictionary to guess passwords. It’s an inefficient method as far as hacking attacks go, but the dictionary attack is successful because too many computer users choose easy to guess passwords, putting them at risk of such an attack.

Hackers may also use a dictionary attack in combination with another attack vector, likely one that disables or cracks the security functionality, such as automatic lockouts or traffic throttling when an attack appears to be underway.

Such attacks are common and why application and website developers are imposing stricter rules on what types of passwords are allowed. Like other attacks, the goal is to steal personal information from the user.

Dictionary attacks are commonly used in high-value attacks on financial institutions and e-commerce sites, especially when payment information is stored. A password that uses words and phrases is far more simple to crack. There are only about a million English words and over 300 million possible combinations of six-letter passwords.

A dictionary attack doesn’t necessarily need to attempt to guess a user’s password. In more sophisticated attacks, the hacker may use a database of previously leaked passwords to make the attack more successful. As many as four in five computer users use the same password across multiple sites.

How a Dictionary Attack Works

Like the brute force attack, the dictionary attack aims to break in by logging in using username and password combinations. It is only inefficient as far as its overall success rate: automated scripts can do this in a matter of seconds.

A hacker will look for applications and websites that don’t lock a user out quickly for incorrect username and password combinations and don’t require other forms of authentication when signing in. Sites that allow simple passwords are especially vulnerable.

Suppose the target website or application does not adequately monitor suspicious behavior like this or has lax password rules. In that case, the website runs a high risk of data disclosure resulting from a dictionary attack. 

Leaked password databases have become a common feature of modern dictionary attacks. Attempting to log in with username and password combinations used multiple times elsewhere makes these dictionary attacks much more successful and potentially harder to detect on the application or website’s end.

Examples of Dictionary Attacks

Some common real-world examples of these types of attacks are:

  • A website fails to ensure that its password length and complexity requirements are secure enough. As a result, some users select extremely easy to guess passwords -- like “abc123” or “987654,” the first passwords often tried in a dictionary attack. In any attack, these accounts will be the first to be compromised. 
  • A hacker figures out a way to disable lockouts due to too many incorrect username and password attempts. Once in, the hacker can take their time using a random password generator to guess other username and password combinations on the site.

How to Protect Against a Dictionary Attack

Protecting yourself from dictionary attacks is relatively straightforward if you follow these guidelines:

  • Eliminate passwords: The ONLY way to ensure the prevention of credential-based attacks is through eliminating passwords. Learn more about passwordless authentication today and keep your most critical applications secure.
  • Use a random password generator: Browsers such as Chrome or Safari can automatically generate passwords for you. These use random letters, numbers and select special characters to create extremely hard-to-crack passwords.
  • Stay away from words and easy to guess number combinations: Keep simple words out of your passwords, as well as sequential numbers and characters (i.e., abc, 123). Dictionary attacks are specifically designed to crack these types of passwords.
  • Use biometric identification if possible: Biometric identification is an easy way to make your accounts more secure. While not that common on websites, many mobile applications use the biometric security features of your device to allow you to log in using your face or a thumb or fingerprint.
  • Change your passwords frequently: Most security experts recommend that you get in the habit of changing your passwords every three to six months, if possible. Some websites and applications will also regularly force you to change your passwords after a specific amount of time, most times once a year.

Dictionary attacks are easy to prevent by eliminating the use of passwords altogether.