Skip to main content

Dictionary Attacks - Guessing Passwords with Words

About 2 min read

A dictionary attack is a method of guessing passwords using a list of words found in a dictionary or commonly used passwords. Whereas a brute-force attack tries every possible combination, a dictionary attack narrows its scope to the passwords people tend to choose, making its attempts more efficient. Common passwords such as "password", "123456", and "qwerty" are cracked within seconds. According to NordPass's 2024 survey, "123456" is still the most commonly used password, and the effectiveness of dictionary attacks has not waned.

Real-World Use Cases

"When we carried out a dictionary attack during a penetration test, the passwords of 47 out of 500 employees were cracked within 10 minutes. Most of them followed patterns containing the company name or birthdays, so we strongly recommend switching to random generation."

Dictionary Attack Techniques and Their Evolution

A basic dictionary attack tries word lists as-is, but advanced techniques apply transformation rules such as appending numbers to the end of a word, changing letter case, or substituting characters with symbols (e.g., a → @, e → 3). Lists of billions of passwords leaked in past data breaches are also used as dictionaries. Modern dictionary attack tools leverage GPUs and can make billions of attempts per second.password attack books on Amazon let you learn about attack techniques.

The Difference from Brute-Force Attacks

A brute-force attack exhaustively tries every combination, from "aaaa" to "zzzz", so in theory it can crack any password, but long passwords take an enormous amount of time. A dictionary attack is fast because it limits its scope to the patterns people are likely to choose, yet it is powerless against random passwords. In an actual attack, it is common to first attempt a dictionary attack and switch to brute force only if it fails. In addition, a password spray attack is a variant that tries a small number of passwords against many accounts, evading account lockout.

Defenses Against Dictionary Attacks

Randomly generated passwords use no words or patterns found in a dictionary, so they have extremely high resistance to dictionary attacks. Passwords thought up by humans tend to unconsciously include dictionary words and patterns, whereas randomly generated passwords have no such bias. On the service provider side, limiting the number of login attempts, introducing CAPTCHA, and checking against lists of leaked passwords are effective defensive measures.secure password guides (Amazon) are also helpful references.

Related Terms

Was this article helpful?

XHatena