A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. A dictionary attack can also be used in an attempt to find the key necessary to decrypt an encrypted message or document.

A dictionary attack is based on trying all the strings in a pre-arranged listing. Such attacks originally used words one would find in a dictionary.  However, now there are much larger lists available on the open Internet that contain hundreds of millions of passwords recovered from past data breaches. 

There is also cracking software that can use such lists and produce common variations, such as substituting numbers for similar-looking letters. A dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords; or variants obtained, for example, by appending a digit or punctuation character.

Dictionary attacks are often successful, since many commonly used password creation techniques are covered by the available lists, combined with cracking software pattern generation. A safer approach is to randomly generate a long password (15 letters or more) or a multiword passphrase, using a password manager program or a manual method.

“A dictionary attack is a type of brute-force attack, but it uses a predefined list of passwords that would have a higher probability of success,” says Deral Heiland, IoT research lead, Rapid7. “This dictionary list could contain things such as regional sports teams names, team member names, names related to the organization being attacked, commonly used passwords often containing ‘spring,’ ‘summer,’ ‘winter’ and ‘autumn’ and variations of all those modified to meet password requirements.”

Difference Between Brute-Force And Dictionary Attacks

A brute-force attack and a dictionary attack are both designed to guess your password, but the methods they use are different. While a dictionary attack makes use of a prearranged list of words, a brute-force attack tries every possible combination of letters, special symbols, and numbers. It can guess a six-character password in one hour. If your password is long and complex, it will take days or even years to crack it.

READ
Chinese Hackers Exploit FortiClient Zero-Day with Custom Toolkit "DeepData"

A brute-force attack doesn’t necessarily try every possible character. Password-cracking software can be programmed to start with more likely options. If there is a requirement to use an uppercase letter in the password, most people will use it in the first character. Knowing this, hackers can set the program to start with a capital letter as the first character. A brute-force attack takes longer to crack a password than a dictionary attack does and heavily relies on computing power.

According to the Balbix State of Password Use Report 2020, around 99% of users reuse passwords, and the average user has around eight passwords shared between accounts, both between work and personal accounts and within various internal company accounts.

Security.org’s Online Password Strategies survey found that nearly 70% of people tweak existing passwords when creating new ones. The 2019 State of Password and Authentication Security Behaviors Report from Yubico and Ponemon found 69% of people share passwords with others in the workplace. It also found just over half don’t change their password behavior after an incident.

How To Prevent Dictionary Attacks

One of the best methods for reducing the success of this style of attack is to train people to move away from short passwords and start using passphrases. Passphrases are often easy to remember and virtually impossible to guess. For example, picking a passphrase such as ‘I want to play cricket for England’ and then randomly alter it with uppercase, numbers or special characters: ‘! want TO Play cr1cket 4 Engl4nd$,’

READ
Russian Hackers APT28 Exploit WiFi Networks with Sophisticated "Nearest Neighbor Attack"

Other mitigation controls include:

  • Set up multi-factor authentication where possible.
  • Use biometrics in lieu of passwords.
  • Limit the number of attempts allowed within a given period of time.
  • Force account resets after a certain number of failed attempts.
  • Rate-limit the speed of password acceptance to increase the time and resources needed for attackers to guess the password.
  • Include Captchas to prevent automated log-in attempts.
  • Ensure passwords are encrypted so they are less likely to be leaked.
  • Restrict common words or passwords from being used. The NCSC publishes a list of common passwords that shouldn’t be allowed.