What is a dictionary attack?

You may have heard of dictionary attacks before and wondered what they entail. Here, we take a closer look at what dictionary attacks are and what you can do to protect yourself against them.

Dictionary attacks as a sub-variant of brute force attacks

Dictionary attacks are a systematic method and type of brute force attack used by hackers in an attempt to crack your password.

In short, dictionary attacks involve the hacker testing different variations of frequently used and widely used words. For example, hackers use lists of the most frequently used passwords. It can also be regional references such as:

• The name of the city's sports team
• Previously leaked codewords
• Popular pet names
• Fictional characters

... or quite literally, as the name suggests, words from a dictionary. Hackers use automated programs to test possible combinations of usernames and passwords until they crack the code and can break into the account.

Unlike typical and common brute force attacks, where the hacker tries all possible password combinations, a dictionary attack is much more focused and therefore more effective. Thus, there is a higher success rate with dictionary attacks than with regular brute force attacks, because in brute force attacks the hacker tests all possible and random passwords, whereas in dictionary attacks they focus exclusively on the most likely passwords.

When are dictionary attacks a suitable method?

Hackers use this method to gain access to online accounts, but due to of the risk of dictionary attacks, many apps and websites have taken precautions such as automatically locking an account if there have been a certain number of consecutive failed log-in attempts.

Hackers also use dictionary attacks as a means to decrypt files, which can be a major problem. This is because many people tend to use strong passwords for their email and social media accounts, but often forget to use an advanced password when sharing encrypted files with others. If encrypted files are sent over an insecure connection, they are easily intercepted by a hacker and thus pose a major security risk.

How a dictionary attack works

As mentioned, an automated program systematically tries out passwords from a given list to force access to an account or an encrypted file. The program is basically starting from the top of the list and tries all possible words until it hits something. This can happen both online and offline.

In an online attack, the hacker repeatedly tries to log in as any other user. This method works best if the hacker has a list of likely passwords. However, because it can be a time-consuming process, the hacker risks the hacking attempt being detected by an administrator or by the user themself before the code is cracked.

An offline attack, on the other hand, is characterised by that there's no network restrictions on how many times the password can be attempted. The hacker's approach here is that they get a hold of a file with passwords from the system they are trying to force access to. In this way, it's a more complicated type of dictionary attack than the online method. But once they have the correct password, they can log in without anyone noticing.

• Common brute force attacks can also take place both online and offline.

How to protect yourself from a dictionary attack

Although dictionary attacks are a prevalent method of hacking accounts - just like brute force - there's fortunately a lot you can do to be proactive and better secure yourself against them.

To protect yourself from online as well as offline dictionary attacks, we recommend that you:

• Create strong passwords that are unique and thus hard to guess and crack. You may want to use a password generator created for this purpose.
• Set limits on log-in attempts, which will cause your account to automatically lock after a certain number of failed log-in attempts. You'll often receive an email notification that there has been a mysterious or unknown log-in attempt, after which you can change your password to make it even stronger.
• Change your password regularly or when you get notifications about mysterious activity. It may also be that your details have turned up in a data leak, which will always be a reason to change your password as soon as possible.
• Use two-factor authentication and add an extra layer of security to your accounts. This way, a hacker cannot access your accounts unless they also have access to the device you receive one-time passwords on. Many people will for instance typically receive a one-time password in a text message on their phone when they log into certain sites, so you'll also quickly discover if someone is trying to log into your account.
• Use a password manager and avoid having to remember all your different passwords. The password manager will make sure you have a random, unique and strong code for each of your accounts, which is not on a list like in dictionary attacks, and store them so you don't have to do it yourself.

It's impossible to have complete control over how companies and websites protect their users' credentials, or whether your credentials show up in a data breach. But good cyber hygiene doesn't have to be a hassle, and by following these simple steps you can significantly increase your security while minimising the risk of being hit by a dictionary attack as well as a common brute force attack.