Learning password security jargon: dictionary attack

2019-12-19 - 6 min read

We, as users, trust companies and service providers to keep our data safe. We hope that they don’t leave any backdoors in their software, properly train their employees, and don’t store usernames and passwords in plaintext.

But everything is not as simple as it might seem. Cybersecurity attacks can affect anyone, and sometimes it may be difficult to protect yourself or your business. But some of them, like dictionary attacks, can be easily prevented.

Learn what a dictionary attack is and what can you do to stop it from happening.

What is a dictionary attack?

A dictionary attack is a systematic method of guessing a password by trying many common words and their simple variations. Attackers use extensive lists of the most commonly used passwords, popular pet names, fictional characters, or literally just words from a dictionary – hence the name of the attack. They also change some letters to numbers or special characters, like “[email protected]

Hackers use this attack to gain access to online accounts, but also for file decryption – and that’s an even bigger problem. Most people put at least some effort into securing their email or social media accounts. However, they choose simple, easy-to-remember everyday words to protect the files they share with other people. If sent over an unsafe connection, those files would be very easy to intercept, and guessing the password by using a dictionary attack wouldn’t be a challenge either.

How does a dictionary attack work?

During a dictionary attack, a program systematically enters words from a list as passwords to gain access to a system, account, or encrypted file. A dictionary attack can be performed both online and offline.

In an online attack, the attacker repeatedly tries to log in or gain access like any other user. This type of attack works better if the hacker has a list of likely passwords. If the attack takes too long, it might get noticed by a system administrator or the original user.

During an offline attack, however, there are no network limitations to how many times you can guess the password. To do it, hackers need to get their hands on the password storage file from the system they want to access, so it’s more complicated than an online attack. But once they have the correct password, they will be able to log in without anyone noticing.

What is the difference between a brute force attack and a dictionary attack?

Brute force attacks are also used to guess passwords. They mostly rely on the computing power of the attacker’s computer. During a brute force attack, a program also automatically enters combinations of letters, symbols, and numbers, but in this case, they are entirely random. Brute force attacks can also be performed online and offline.

However, there are 1,022,000 words in the English language. By using the alphabet and numbers 0-9, you can make 218,340,105,584,896 eight-character passwords. In this case, a dictionary attack is much more likely to succeed, given that the password will be a simple English word. And it will most likely be a simple English word. A basic brute force attack would take much more time and is less likely to be successful.

Dictionary attacks are brute force attacks in nature. The only difference is that dictionary attacks are more efficient – they usually don’t need to try as many combinations to succeed. However, if the password is a truly unique one, a dictionary attack won’t work. In that case, using brute force is the only option.

How to avoid a password dictionary attack?

The IT department in any organization should take some precautions to protect their systems from dictionary attacks. Online attacks are rather easy to stop. You can use captchas, implement mandatory two-factor authentication, and limit how many times one user can attempt to log in before their account is locked.

It’s a bit more complicated when it comes to offline attacks, though. But you can also use two-factor authentication and set up strict rules concerning passwords: no popular passwords, no common words or phrases, 12 character minimum, etc. And most importantly, make sure that you don’t store passwords in plaintext.

But what can you do as a user to prevent your accounts from getting hacked? First and foremost – don’t be predictable. The best passwords are words that have no meaning to the general public. Keep in mind that the length of the password is not what makes it strong. It doesn’t matter whether you choose “pachycephalosaurus” or “cat” as your password; a computer takes the same amount of time to try either of them.

So create new words, use special characters originally, or, best of all, use random strings of upper- and lower-case letters, symbols, and numbers.

Having trouble coming up with new passwords? Try our password generator. You can pick what symbols you want to use and create unique, strong passwords for all your accounts. Yes, they are impossible to remember, but they are also impossible to guess. And lucky for you, you no longer need to remember all your passwords.

Just use a password manager, like NordPass, to store all your passwords safely. Only you will have access to them, so you can rest assured that your online accounts are safe.

Benjamin Scott
Benjamin Scott
Verified author
Ben is our tech geek. He analyses difficult topics and brings them to the reader in a nice and simple language. In his free time, he loves to compete, so he likes to participate in various marathons and triathlons.
Subscribe to NordPass news