How does a dictionary attack work?

Most people are aware of good online security habits. However, they often fail to use them to their fullest extent, leaving them susceptible to dictionary attacks. Despite knowing that they should protect their online accounts, many people fail to follow simple guidelines like creating strong passwords. In fact, a Google study found that an estimated 65% of people reuse passwords across multiple accounts. Additionally, 59% use personal details in their passwords that are easy to guess or discover, such as pet names and birthdates.

In addition, people often use simple, obvious passwords which are very easy to crack. Studies have shown that keyboard runs like “123456” and “qwerty”, and phrases like “Password”, “iloveyou”, and “Welcome” are among the most commonly used and regularly appear in data breach leaks.

The implication, then, is that these attacks are very common—and very successful—simply because people do not take dictionary attack prevention seriously.

Dictionary attacks: A definition

In its simplest form, a dictionary attack is a type of brute force attack where hackers try to guess a user’s password to their online accounts by quickly running through a list of commonly used words, phrases, and number combinations. When a dictionary attack has successfully cracked a password, the hacker can then use this to gain access to things like bank accounts, social media profiles, and even password-protected files. This is when it can become a real problem for the attacker’s victim.

How does a dictionary attack work?

This type of hacking uses a systemic approach to cracking passwords. There are essentially three steps to successfully carrying out these hacks and understanding them can be helpful in learning how to prevent a dictionary attack.

Usually, the attacker will create a predefined list of potential passwords—a brute force dictionary—that feature combinations of popular words and numbers.
Automated software then uses this brute-force dictionary to try and hack into online accounts.
Once the dictionary attack has successfully hacked into a vulnerable account, the hacker uses any sensitive data stored in the profile for their own means. This might be to perpetrate fraud, take malicious action, or simply access accounts for financial gain.

To compile the list of potential passwords, the attacker will often use common pet names, recognisable pop-culture characters, or major sports teams and athletes, for example. This is because many people use these types of words to create passwords that have meaning to them and that they can easily remember. The list will normally include variations of these, such as different combinations of words, or the addition of special characters.

Running this list with automated tools also makes it easier for dictionary attacks to be successful. Using a password list and automated tool in tandem makes it far quicker to attempt to crack a password and hack into an online account. If this were to be done manually the attack would take too long and gives the account owner—or system administrator—time to notice and implement a defence against the attack.

Because of the way they work, these dictionary attacks often do not have an individual target. Instead, they are carried out in the hopes that one of the passwords on the list will be correct. However, if the attacker is targeting a particular place or organization, they will create a more focused and localised list of words. For example, if they plan to carry out the attack in Spain, they might use common Spanish words instead of English. Or, if they are targeting a particular organisation, they might use words associated with that company.

Dictionary attack vs brute force: What is the difference?

Even though dictionary hacking is a type of brute force attack, there is an important difference between the two. While dictionary attacks use a preset list of words to systematically try and crack account passwords, brute force hacks do not use a list and instead, run through every random combination of letters, symbols, and numbers that might be used to create a password. As such, dictionary attacks are usually more efficient—and have a higher chance of success—simply because they have far fewer combinations to try.

With 26 letters of the alphabet and 10 single-digit numbers—a total of 36 characters—the sheer number of possible combinations a brute force attack must run through in order to succeed is almost impractical. For context, for a brute force attack to hack a 10-character password, there would be 3.76 quadrillion potential alphanumerical passwords to run through.

The advantage of brute force attacks, though, is that they are more likely to be able to crack difficult and unique passwords with their trial-and-error approach. Because they run through such a comprehensive list of possible passwords, there is a higher probability that these attacks will eventually be able to find the right combination of characters of any given password.

How to prevent dictionary attacks

Understanding what a dictionary attack is and how they work is one step towards preventing their occurrence. But for those who are serious about dictionary attack prevention, these tips can help:

Avoid passwords where possible: The easiest and most foolproof way to avoid dictionary hacking is to eliminate the use of passwords completely. Instead, where the option is available, use password-free authentication solutions and biometric logins to keep your accounts secure.
Use random passwords: Try to avoid creating passwords that incorporate personal details such as birth dates, pet names, or other information that can be easily discovered. A password manager can help to create, store and enter the passwords in a secure format.
Avoid the obvious: Surprisingly, many people use basic, easy-to-hack word and number combinations as passwords, such as “Password123” or “abcd1234”. These are most susceptible to hacking because dictionary attacks are specifically designed to break through easy-to-guess passwords.
Pick a pass-phrase: Instead of picking a word and number combination as a password, create full phrases to access accounts. These are much more difficult to guess but are often easy for users to remember. For example, someone that likes football might use the phrase “I want to be a linebacker for the Patriots”. To make the pass-phrase even more secure, add random numbers, characters, and upper-case letters, turning it into “IW@nT2B@L!n3B@ckER4THEPatr!0tS!”.
Use two-factor authentication: Set accounts up so that each login requires two (or more) factors of authentication. For example, a password, a one-time password generated by an authentication app and a fingerprint.
Try authentication apps: Where possible, try to use authentication applications in place of, or alongside, passwords. Many of these apps can be easily downloaded to a mobile phone and linked to a particular account, and provide randomly generated one-time passwords for every login attempt.
Limit login attempts: Some websites and apps now limit the number of allowed login attempts within a particular time period. If this is an option, enable this on each account to avoid dictionary hacks.
Force resets: Dictionary hacking often relies on multiple attempts to crack a password. Minimise the likelihood of a successful attack by forcing password resets after a certain number of failed attempts. If this isn’t an option you can enable automatically on your accounts, you may be able to put a more manual version in place by enabling online accounts to email you in the event of a failed login attempt. If you are notified of somebody trying to access an account, particularly if you get several of these notifications in quick succession, you can go in and change your password to ensure it is safe.
Avoid using certain words: Avoiding the use of common words in all of your passwords adds an extra layer of protection for account security.

Can password managers help with dictionary attack prevention?

Password managers can be a useful way to manage your account credentials securely and minimise the likelihood of falling victim to dictionary hacking. Apps like Kaspersky Password Manager offer an array of benefits that can help keep passwords secure. Here are some reasons to consider using one:

Use just one password: With a password manager, you just have to remember a master password to log into your account and manage all your other logins for individual accounts.
Generate strong, random passwords: Most of these programs will allow users to create very strong, randomly generated passwords. Because these do not use common words or phrases, they are usually safe from dictionary hacking. Though of course, a brute force attack could still be successful.
Get easy access to accounts: Password managers often offer the ability to securely store login details to each individual account, then automatically fill these details in for each attempt to log into a website, account, or app.
Share passwords securely: If it is necessary to share account passwords—with friends, families, or colleagues, for example—password managers allow users to do so securely while also managing access.
Use secure storage: Many password managers now also offer the ability to store things like personal documents, medical records, and photos in an encrypted format so that any sensitive data stays secure.

Take steps to prevent a dictionary attack

Dictionary hacking is a very common type of cybercrime that hackers use to gain access to an individual’s personal accounts, including bank accounts, social media profiles, and emails. With this access, hackers can perpetrate all sorts of actions, from financial fraud and malicious social media posts to further cybercrimes like phishing. However, dictionary attack prevention can be as simple as implementing certain safeguards to minimise the risk of falling victim to these attacks. Using smart password management habits, employing different types of authentications, and using readily available password managers, for example, can all help keep passwords and accounts secure.

Kaspersky Endpoint Security received three AV-TEST awards for the best performance, protection, and usability for a corporate endpoint security product in 2021. In all tests, Kaspersky Endpoint Security showed outstanding performance, protection, and usability for businesses.

Related Articles and Links:

Related Products and Services: