Dictionary Attack: What Is It and How Can You Stop It?

  • By Bryan Lee
  • Oct 02, 2023

Dictionary Attack

Everybody knows that their passwords should be complex. You shouldn’t include personal information like your birth month, hometown, or name. Otherwise, hackers could quickly scan our social media pages and guess our login credentials.

However, even seemingly random and safe words like “platypus” or “wormhole” can be easily broken, not to mention the cliché options like “password.” A dictionary attack is a standard tactic hackers use to crack word-based passwords.

What is a Dictionary Attack?

Dictionary attacks essentially throw a book at the problem. A program methodically goes through words from a dictionary until it guesses the correct password. Many dictionary attacks are customized to go through specific words, phrases, and variations before taking the random route. Some prioritized terms may include:

  • Fictional characters (Harry Potter, Zeus, James Bond, etc.)
  • Pet names
  • State capitals

Starting with commonly used options is a way to bypass a system’s security measures. If the hacker attempts a wrong password too many times, then their attempts may be flagged and notify the legitimate account holder.

These attacks aim to break into online accounts and steal information. This can lead to identity theft, financial impersonation, and even corporate espionage. However, most websites nowadays require a combination of special characters, numbers, and letters in passwords, which makes dictionary attacks far less effective.

In response, hackers have also repackaged dictionary attacks for use in file decryption. Users don’t put the same emphasis on beefing up the passwords of protected files since those are typically one-time transfers. If those files are intercepted in transit, a dictionary attack would have a much higher chance of breaking in than social media or email passwords.

Brute-Force Vs. Dictionary Attacks

Brute force attacks are another method to guess a password. The tactic relies on immense computing power to input millions of password combinations in a matter of seconds. A brute force attack takes all possible symbols, letters (lowercase and uppercase), and numbers and arranges them in every conceivable pattern. 

Dictionary attacks are a subclass of brute force attacks restricted to complete words. A dictionary attack may use special characters like “@” or “!” but only when those characters are commonly used to replace a specific letter. For example:

p@ssword = password

!ntriguing = Intriguing

Despite brute force attacks being far more encompassing than dictionary attacks, they are relatively simple to defend against. Adding a single character to a password exponentially increases the number of possibilities the program has to guess. Modern computers can break an 8-character password in a few seconds but would require millions of years to guess one that’s 12 characters or longer.

Why Are Dictionary Attacks Popular?

Reused passwords are the bane of online security. If you use the same password for multiple accounts, then a dictionary attack only needs to succeed once to uproot your entire life. It’s also important that even when people change their password, they’re frequently only adjusting one or two characters, which doesn’t do much to improve your security.

Additionally, reports show that nearly 20 percent of passwords are compromised. This is due to either individual hacking or large-scale breaches, but it’s a huge problem. That 20 percent gives hackers millions of data points to figure out what words are most commonly used in passwords. AKA: What words to guess first.

Cybernews even compiled a list of the most repeated password phrases and combinations in 2023. These passwords are not only useful for dictionary attacks but also for other brute-force attacks like password spraying.

How to Defend Against Dictionary Attacks

Defend Against Dictionary Attacks

Dictionary attacks aren’t hard to pull off and should be a fundamental concern of any cybersecurity worker. Organizations can defend against attacks by implementing additional barriers like captchas and multi-factor authentication to snuff out the danger of brute-force and dictionary attacks.

Note: Multi-factor authentication is significantly weakened if the compromised account uses the same or similar password for its email service. Make sure to use vastly different passwords for the main accounts and accounts used for verification. 

Aside from protecting individual users, IT professionals need to prepare for when a dictionary attack is successful. This means preventing the intruder from stealing additional information after gaining access. Companies can minimize lost data by restricting access permissions based on an employee’s needs. They should also encrypt all stored passwords so the breach doesn’t expand any further.

An individual user’s best bet is to employ a password manager. These nifty programs do it all for you. They save your login credentials for autofill, generate complex and strong passwords, and track which passwords may have been compromised.

Some people worry that a password manager puts all their passwords in one place and exposes them to danger. However, popular options all come equipped with military-grade encryptions and security measures. Many browsers have a password manager extension already pre-installed, but third-party options exist for anyone wanting more control.

If, for some reason, you still don’t want to rely on a password manager, then you can protect yourself by following these rules:

  • Use 12 or more characters
  • Include a mix of uppercase and lowercase letters
  • Don’t use complete words or number sequences (dates, years, addresses)
  • Use AT LEAST one unique character

Protect Yourself with Strong Passwords

Hopefully, this post has convinced you of the dangers of dictionary attacks and how to avoid them. The most present threat to your online safety is a lack of proactivity. Creating unique passwords for every account may seem complicated, but it’s more manageable than you think, especially if you use a password manager.

Stay updated on current data breach news if you want to go the extra mile. You never know when one of your most-visited sites will become compromised, and you need to change your login credentials. InfoPay even has dark web tracking services that can inform you when your information is on sale and guide you through the following steps!

About the Author
IDStrong Logo

Related Articles

Secure Wi-Fi and Wireless Technology Security Tips

Your Wi-Fi network is another handy access point that hackers use to infiltrate your computers, st ... Read More

How Does a VPN Work and How to Choose one

VPN stands for virtual private network. It allows you to hide your public IP address and browse pr ... Read More

Complete Guide to Android Security

The Android platform offers a ton of flexibility and customization for users. However, all that fr ... Read More

Increase Your Google Privacy Settings in 4 Easy Steps

In this time of digital transparency and data breaches, it’s more important than ever to fee ... Read More

Instagram Privacy Policy: What You Should Know?

Instagram is a great place to share your best photos and messages with your followers, but have yo ... Read More

Latest Articles

Health Organization Records Stolen via Welltok’s MOVEit - 930k+ Including Minors

Health Organization Records Stolen via Welltok’s MOVEit - 930k+ Including Minors

The number of victims caused by the global MOVEit data breach continues to climb; Welltok has announced more exposures, this time from three more health organizations.

MOVEit Breach Creates More Victims; 105k Records Stolen from Insurance Group

MOVEit Breach Creates More Victims; 105k Records Stolen from Insurance Group

"Pan American Life Insurance Group Building - New Orleans" by Tony Webster is licensed under CC BY 2.0. Source: Flickr

New York Healthcare Provider Notified 600k Following Network Cyberattack

New York Healthcare Provider Notified 600k Following Network Cyberattack

East River Medical Imaging (ERMI) has three locations in New York City and Westchester County.  ERMI is a "multi-modality radiology center," including patient-centered solutions like MRIs, CTs, ultrasounds, imaging, radiology, fluoroscopy, and x-rays.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address