Dictionary Attack

Why Trust Techopedia

What is a Dictionary Attack?

A dictionary attack is a form of brute force attack used to breach the security of a password-protected computer, device, or server. It attempts to defeat an authentication mechanism by systematically entering each word and variation in a dictionary as a password or trying to determine the decryption key of an encrypted message or document.

Advertisements

Malicious attackers use lists of commonly used passwords, popular pet names, phrases, number combinations, fictional characters, or words from a dictionary – giving the attack its name. Once the hacker has successfully found the user’s password, they can gain access to their files, social media, online banking and other accounts.

What is Dictionary Attack

Key Takeaways

  • Malicious attackers try to crack a user’s password by running through a list of words until they gain access to their device or online account.
  • Automated tools and GPUs allow hackers to try millions of passwords in seconds.
  • Dictionary attacks are often successful as users tend to set weak passwords.
  • Serious consequences include data breaches, financial loss, locked accounts, and reputational damage.
  • Companies such as LinkedIn and Nvidia have experienced dictionary attacks.

How a Dictionary Attack Works

The most common method of authenticating a user in a computer system is through a password. However, this is also the weakest form of authentication because users frequently use ordinary words as passwords.

Antagonistic users such as hackers and spammers take advantage of this weakness by using a dictionary attack. They attempt to log in to a computer system by trying all possible passwords until the correct one is found.

Dictionary attacks are often successful because many users and businesses use ordinary words as passwords. These ordinary words are easily found in a dictionary, such as an English dictionary.

Many people use pet names, sports teams, athletes, pop-culture characters, and so on to create passwords that are easy to remember. Some even use basic passwords such as “password” or “123456”.

How a Dictionary Attack Works

What is a dictionary attack in cybersecurity? A dictionary attack can be performed offline or online. During an attack, an automated tool systematically enters words from a list into the password field of a login screen to gain access to a system, account, or encrypted file. Such an attack is more effective if the hacker has a long list of potential passwords. The longer the attack takes, the more likely it is to be noticed. A dictionary attack tool based on graphics processing units (GPUs) can run through millions of passwords per second in attempt to break into an account.

Dictionary attacks typically work on the basis that one of the entries on the list may be the correct password for an account. But when hackers target a particular user or organization, they will use a tailored word list.

How to Avoid a Password Dictionary Attack

Two countermeasures against dictionary attacks include:

Delayed response
A slightly delayed response from the server prevents a hacker or spammer from checking multiple passwords within a short period of time.
Account locking
Locking an account after several unsuccessful attempts (for example, automatic locking after three or five unsuccessful attempts) prevents a hacker or spammer from checking multiple passwords to log in.

Dictionary attacks are not effective against systems that use multiple-word passwords. They also fail against systems that use random permutations of lowercase and uppercase letters combined with numerals, as they are unlikely to be included in a word list.

Installing antivirus software can detect and prevent attacks by identifying repeated unsuccessful login attempts or other suspicious activity and prompting users to create stronger passwords that are less likely to be on dictionary attack lists.

Dictionary Attack vs. Brute-Force Attack

A dictionary attack is a type of brute force attack, but there is a distinction between the two.

A brute force attack is less directed, as it does not use a word list but runs through every possible combination of letters, numbers, and symbols.

While dictionary attacks tend to be more efficient, brute force attacks are more likely to crack unique or difficult passwords that are not based on commonly used words.

Dictionary Attack vs. Brute-Force Attack

7 Ways to Protect Yourself Against a Dictionary Attack

  1. Use two-factor authentication

    Set accounts to require two types of authentication to log in, such as a password and a fingerprint. Biometric identification, including fingerprint, facial recognition or retina scan use physical features that cannot be affected by a dictionary attack.
  2. Create random passwords

    Avoid using passwords that include details such as birth dates, pet names, common words, or favorite personalities, which can be guessed easily. Never reuse passwords across accounts or use obvious word and number combinations such as “Password123” or “abcd1234”. Create strong passwords using a combination of uppercase and lowercase letters, numbers, and symbols. Full phrases are harder for automated tools to guess.
  3. Use a password manager

    Password managers can create, stor, and enter passwords securely. This allows you to create stronger passwords that may not be as easy to remember and are harder to crack.
  4. Use authentication apps

    Authenticators can be linked to an account and generate random one-time passwords (OTPs) each time you log in.
  5. Limit login attempts

    Some websites and apps now limit the number of allowed login attempts within a particular time period. If this is an option, enable this on each account to avoid dictionary hacks.
  6. Force resets

    Set accounts to force a password reset after a specified number of failed login attempts, preventing dictionary attacks from repeatedly trying to guess passwords.
  7. Update passwords regularly

    Change passwords every few months to keep hackers guessing.

Consequences of a Dictionary Attack

  • Dictionary attacks can have serious implications for individuals, businesses, and other organizations.
  • Data breaches or loss, exposing confidential information to unauthorized parties.
  • Locked accounts, losing access after repeated failed login attempts.
  • Financial loss through the theft of funds or assets and costs associated with responding to security breaches.
  • Operational disruption caused by system downtime, interruption of service, or loss of access to accounts.
  • Data breaches can damage a company’s reputation among customers and partners.
  • Organizations that experience data breaches may be subject to penalties, fines, or legal action for failing to safeguard customer information.

Dictionary Attack Examples

Some of the world’s biggest companies, including Adobe, Dropbox, GitHub, LinkedIn, and Nvidia, have experienced dictionary attacks.

In 2012, hackers used a combination of brute force and dictionary attacks to gain access to passwords for approximately 6.5 million LinkedIn user accounts. In May 2016, the company became aware that an additional 100 million email addresses and hashed passwords had been hacked. It responded by invalidating the passwords of all accounts that had not updated their password since the breach.

In February 2022, Nvidia was attacked by the hacking group Lapsus$, which used dictionary attacks among other methods to steal and leak employee credentials and proprietary information, such as source code for NVIDIA’s GPUs. The leak showed that Nvidia employees were using weak passwords; all employees were subsequently required to change their passwords.

The Bottom Line

The definition of a dictionary attack is a technique or method that malicious hackers use to gain unauthorized access to a system by systematically trying a list of commonly used passwords or phrases until they break into a user’s account. As users tend to choose weak or predictable passwords, setting strong passwords, using two-factor authentication and password managers as well as limiting login attempts can help individuals and organizations avoid successful dictionary attacks.

FAQs

What is a dictionary attack in simple terms?

What is the dictionary method of attack?

What is the difference between brute force and dictionary attacks?

What is a dictionary attack in learning?

Advertisements

Related Terms

Nicole Willing
Technology Journalist
Nicole Willing
Technology Journalist

Nicole is a professional journalist with 20 years of experience in writing and editing. Her expertise spans both the tech and financial industries. She has developed expertise in covering commodity, equity, and cryptocurrency markets, as well as the latest trends across the technology sector, from semiconductors to electric vehicles. She holds a degree in Journalism from City University, London. Having embraced the digital nomad lifestyle, she can usually be found on the beach brushing sand out of her keyboard in between snorkeling trips.