Authentication

What are dictionary attacks?

Sachin Raaghav

Apr 206 min read

Book Demo

Table of Content

Read more
  • 5 pain points you can overcome in AD user account management  
    Manual vs. automated identity life cycle management  
    Active Directory clean-up: Should you automate it?  
  • Maintain confidentiality of critical information by implementing the POLP  
    6 essential capabilities of a modern UBA solution  
    How can SSO help in reinforcing password security?  
  • Authentication vs. authorization  
    5 simple steps to HIPAA compliance  
    Smart strategies to provision and de-provision Active Directory  

What are dictionary attacks?

There are several ways for a hacker to compromise a user's account, but what makes a hacker's job easy? Weak passwords.

The UK’s National Cyber Security Center breach analysis found that 23.2 million victim accounts worldwide used 123456 as their passwords. Imagine a bank account that holds $1,234,567 is secured by a password that's 1234567. One method that cybercriminals use to breach password-protected systems and applications is the dictionary attack method, because it is simple when compared to other types of cyberattacks.

What is a dictionary attack?

Dictionary attacks can be successful and often require few resources to execute since users frequently use basic, easy-to-remember passwords across many accounts. A dictionary attack is a hacking technique through which cybercriminals try to crack users' passwords by using popular words and phrases from a dictionary list or a pre-defined, user-specific list.

Most dictionary attacks involve searching the entire dictionary, while others try a wide range of common character combinations or phrases. When users practice poor password choices, their accounts are vulnerable to dictionary attacks. One of these bad practices includes using information that is related to them personally as a password, so that it is easier for them to remember. Some of the most common passwords are the user's birthplace, phone number, birthday, family member's name, and interests.

Maintaining strong passwords is essential for protecting your online identity and private information, such as bank accounts and medical records. According to the Verizon Data Breach Investigations 2021 Report, 81% of hacking-related breaches used stolen and weak passwords.

How do hackers execute a dictionary attack?

These days, hackers can learn so much about someone's personal life by just looking at their Facebook, Instagram, and other social media platforms. Even the simplest of actions are often updated on these platforms as a statuses: for example, "Taking a walk right now." Sharing personal information on these public platforms makes it easy for cybercriminals to learn about their target's interests and activity.

Cybercriminals narrow down all the interests of their target such as "user XYZ is interested in Game of Thrones," and they use this information to conduct dictionary attacks. All the words that are used in the Game of Thrones universe are collected in a list and entered as password guesses in an attempt to crack the user's account—character names, locations, and lore-related words are some examples that would be in the list.

Even if the password has various combinations of characters for a word that is easy to remember, the hacking tools that cybercriminals use can easily crack them. For example, if the password is "G@meofThr0Ne$," the hacking tools use a technique known as character replacement where the letter S is replaced by $ in order to increase the number of combinations for a successful result.

A dictionary attack is performed by continuously entering multiple combinations of words that are related to the user's interests, personal information, and common phrases. It is based on the trial and error technique, where if a phrase from the list is not the password, the next phrase in the list is tried. The process is carried out continuously until the correct phrase for the password is found.

Dictionary attacks can easily crack accounts that have weak passwords, and since it uses trial and error, the processing time could take anywhere from milliseconds to years to crack. It depends on the complexity of the password. Dictionary attacks can take place both online and offline.

Dictionary attacks vs. brute-force attacks

A dictionary attack is a variation of the brute-force attack technique. A brute-force attack involves trying out every possible combination of characters. For example, a 3-digit pin code has 1,000 possible combinations. In a brute-force attack, all these combinations are tried out from 000 to 999 until the account is cracked open.

A dictionary attack involves trying out every possible combination from a dictionary list and a predefined list of words and phrases collected through research of the user's personal info and interests. From the above example, a dictionary attack would involve trying all the possible combinations that contain the number 7: 657,757,777, and so on. Why 7? It could be because the cybercriminal knows that their target has a lot of 7s in their car license plate number, phone number, date of birth, etc.

Comparison of a dictionary attack and brute-force attack

Criteria Brute-force attack Dictionary attacks
Method Uses all the possible combinations of letters, numbers, and special characters Uses all the possible combinations of the words in a predefined list created after researching the target
Time taken Depends on the password's complexity Depends on the number of words in the predefined list
Difficulty Depends on the password's length: easier if the password's length is shorter Depends on the password's commonality and similarity with the predefined list

How to prevent dictionary attacks

Method Description
MFA MFA involves two or more authentication methods. For example, it will require a username and password along with a one-time passcode sent to the user's email or smartphone. Only after successfully authenticating through both these methods can the user can log in.
Using biometrics This is an authentication process that involves utilizing the user's biological information for identity verification. Biometrics are convenient to use and are also faster when compared to passwords. Example: fingerprint.
Forcing limitations Restrict the number of password attempts within a particular time frame.
After a certain number of failed attempts, lock the account.
CAPTCHAS Automated log-in attempts can be prevented by using CAPTCHAS.
Strong passwords Make sure the password is not a simple word. Increase the complexity of the passwords by:
  • Increasing its length.
  • Using both upper and lowercase letters.
  • Using numbers.
  • Using special characters.
Changing passwords Change your passwords regularly and make sure that the new password is not similar to the old password.

It's now or never

If the password is easy for you to remember, then most likely, it can be easily cracked by a cybercriminal. IT administrators need to make sure that the employee accounts in their organization are not vulnerable to dictionary attacks. There are multiple solutions to tackle this problem, as covered in the chart above. With AD360's built-in password complexity tool, administrators can prevent various brute-force attacks including dictionary, credential stuffing, and password spray attacks. Start securing your data now before it's too late.