What is a dictionary attack?
You may have heard of dictionary attacks before and wondered what they entail. The dictionary attack definition refers to a specific type of brute force attack in which an attacker utilizes a pre-defined list of common words and phrases to guess passwords. Here, we take a closer look at what dictionary attacks are and what you can do to protect yourself against them.
Definition and explanation
A dictionary attack is a type of cyber attack that involves using a precompiled list of words, phrases, and common passwords to guess a user’s password. Unlike brute force attacks, which try every possible combination of characters, dictionary attacks are more targeted. They rely on the likelihood that many people use common words, phrases, or simple variations of them as passwords. This makes dictionary attacks faster and often more successful than traditional brute force attacks, as they focus on the most probable passwords rather than attempting every possible combination.
Dictionary attacks as a sub-variant of brute force attacks
Dictionary attacks are a systematic method and type of brute force attack used by hackers in an attempt to crack passwords.
In short, dictionary attacks involve the hacker testing different variations of frequently used and widely used words. For example, hackers use lists of the most frequently used passwords. It can also be regional references such as:
-
The name of the city’s sports team
-
Previously leaked codewords
-
Popular pet names
-
Fictional characters
… or quite literally, as the name suggests, words from a dictionary. Hackers use automated programs to test possible combinations of usernames and passwords until they crack the code and can break into the account.
Unlike typical and common brute force attacks, where the hacker tries all possible password combinations, a dictionary attack is much more focused and therefore more effective. Thus, there is a higher success rate with dictionary attacks than with regular brute force attacks, because in brute force attacks the hacker tests all possible and random passwords, whereas in dictionary attacks they focus exclusively on the most likely passwords. Learn more about how brute force attacks work and how to protect yourself.
When are modern dictionary attacks a suitable method?
Hackers use this method to gain access to online accounts, but due to the risk of dictionary attacks, many apps and websites have taken precautions such as automatically locking an account if there have been a certain number of consecutive failed log-in attempts. Limiting the number of incorrect password attempts is crucial to prevent successful dictionary and brute-force attacks.
Hackers also use dictionary attacks as a means to decrypt files, which can be a major problem. This is because many people tend to use strong passwords for their email and social media accounts, but often forget to use an advanced password when sharing encrypted files with others. If encrypted files are sent over an insecure connection, they are easily intercepted by a hacker and thus pose a major security risk.
How a dictionary attack works
As mentioned, an automated program systematically tries out passwords from a given list to force access to an account or an encrypted file. Modern dictionary attacks leverage leaked password databases to enhance their effectiveness, allowing attackers to use passwords previously exposed in data breaches. The program is basically starting from the top of the list and tries all possible words until it hits something. This can happen both online and offline.
In an online attack, the hacker repeatedly tries to log in as any other user. This method works best if the hacker has a list of likely passwords. However, because it can be a time-consuming process, the hacker risks the hacking attempt being detected by an administrator or by the user themself before the code is cracked.
An offline attack, on the other hand, is characterised by that there’s no network restrictions on how many times the password can be attempted. The hacker’s approach here is that they get a hold of a file with passwords from the system they are trying to force access to. Password hashes are often targeted in these offline attacks, highlighting the importance of strong passwords and regular updates. In this way, it’s a more complicated type of dictionary attack than the online method. But once they have the correct password, they can log in without anyone noticing.
Common brute force attacks can also take place both online and offline.
Identifying vulnerability to dictionary attacks
To identify vulnerability to dictionary attacks, organizations can conduct thorough security audits and penetration testing. These tests simulate dictionary attacks to uncover weak passwords and other vulnerabilities within their systems. Additionally, monitoring and logging system activities are crucial in detecting and responding to such attacks. By tracking login attempts and flagging unusual patterns, such as a high number of failed login attempts from the same IP address, organizations can identify and mitigate ongoing attacks before they succeed.
How to protect yourself from a dictionary attack
Although dictionary attacks are a prevalent method of hacking accounts - just like brute force - there’s fortunately a lot you can do to be proactive and better secure yourself against them.
To protect yourself from online as well as offline dictionary attacks, we recommend that you:
-
Create strong passwords that are unique and thus hard to guess and crack. You may want to use a password generator created for this purpose to ensure you have a random password that is at least 16 characters long.
-
Set limits on log-in attempts, which will cause your account to automatically lock after a certain number of failed log-in attempts. You’ll often receive an email notification that there has been a mysterious or unknown log-in attempt, after which you can change your password to make it even stronger. This helps protect against such an attack.
-
Change your password regularly or when you get notifications about mysterious activity. It may also be that your details have turned up in a data leak, which will always be a reason to change your user's password as soon as possible.
-
Enable two-factor authentication to enhance your account security with an additional protection layer. This way, a hacker cannot access your accounts unless they also have access to the device you receive one-time passwords on. Many people will for instance typically receive a one-time password in a text message on their phone when they log into certain sites, so you’ll also quickly discover if someone is trying to log into your account. Learn more about why two-factor authentication is essential for your cybersecurity.
-
Use a password manager and avoid having to remember all your different passwords. The password manager will make sure you have a random, unique and strong code for each of your accounts, which is not on a list like in dictionary attacks, and store them so you don’t have to do it yourself.
Protecting a user's account is crucial to prevent unauthorized access and potential fraud.
It’s impossible to have complete control over how companies and websites protect their users’ credentials, or whether your credentials show up in a data breach. But good cyber hygiene doesn’t have to be a hassle, and by following these simple steps you can significantly increase your security while minimising the risk of being hit by a dictionary attack as well as a common brute force attack.
Password security best practices
To prevent dictionary attacks, it is essential to follow best practices for password security. This includes:
-
Using a password manager to generate and store unique, complex passwords for each account.
-
Activate two-factor authentication (2FA) whenever available to strengthen your account security with an added layer of protection.
-
Implementing a secure password policy that requires a minimum password length and complexity.
-
Avoiding the use of easily guessable information, such as names or birthdates, in passwords.
-
Regularly updating passwords and avoiding the use of the same password across multiple sites.
-
Implementing a delay between login attempts to slow down attackers.
-
Forcing captchas after multiple failed logins to prevent brute-force attacks.
-
Locking accounts after a specified number of attempted logins to prevent brute-force attacks.
-
Monitoring user accounts for anomalies to detect and prevent brute-force attacks.
By following these best practices, organizations can significantly reduce the risk of dictionary attacks and protect their systems and data from unauthorized access.
This post has been updated on 07-02-2025 by Sarah Krarup.

Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup