Email us at office@sencode.co.uk

Contact Us Today 01642 716680

Dictionary Attack

Definition: A dictionary attack is a method of cyber attack that uses a pre-arranged list of potential passwords, which is often derived from words found in a dictionary or from previously leaked password databases, to systematically guess and gain unauthorised access to user accounts.

acting as a featured image for the page

The relevance of a dictionary attack in cyber security stems from the standard and risky practice among users of selecting weak and easily guessable passwords, which often consist of ordinary words or popular password combinations. These types of passwords are susceptible to being quickly compromised through dictionary attacks, where an attacker automates the process of entering many possible passwords with the hope that one will match. One popular resource security professionals use is SecLists, which contains a plethora of pre-defined word lists.

Dictionary attacks are typically less complex and time-consuming than brute force attacks, which try every conceivable password combination. Instead, by relying on the likelihood that users’ passwords are simple or commonly used phrases or words, attackers using dictionary attack methods can achieve access without needing significant computational power or time.

To mitigate the risk of dictionary attacks, users should select complex, unique passwords that are not simple words or easily anticipated sequences. Additionally, organisations may enforce policy measures such as mandatory password complexity, periodic password changes, and account lockout mechanisms after a certain number of incorrect attempts.

How dictionary attacks work

To begin with, the attacker will create a dictionary of password combinations that are combinations of popular words and numbers. The hacker will then use automated software to go through the dictionary and attempt to hack into people’s online accounts with a list of passwords. Once a match has been found and the attacker has access to an account, they will use the sensitive data they now have available for their own gain. 

The list of passwords will typically comprise words that relate to the account owner, such as generic pet names, famous celebrities, and sports teams. These words will hold emotional significance to the person and will, therefore, be more memorable. The password list will not only contain the words by themselves; it will also contain different combinations of the words and the words paired with varying numbers and special characters. 

Hackers rarely manually input the dictionary of passwords. This is because it takes considerably more time, which increases the chance of alerting the account owner, who can then implement defences against the attack. Instead, hackers will use advanced automated software that will quickly try logging in with each password. This drastically increases the chances of the attack being successful. 

Most dictionary attacks target random accounts, putting in as many passwords as possible with the hope that one will match. However, in some instances, the hacker will target a specific place or organisation. When this happens, the passwords will be more specific to the context. For example, if a hacker is targeting a business, they will ensure that their list of passwords relates to the company.

What is the difference between brute force and dictionary attacks?

The main difference between a brute force attack and a dictionary attack is how the attacker approaches the attack. As mentioned earlier, dictionary attacks systematically go through an entire premade list of passwords when they attempt to break into an account. On the other hand, brute force attacks go through random combinations of letters, numbers and symbols that may make up a password. This means that generally, dictionary attacks are more effective as they have fewer combinations to go through than a brute force attack that has a long list of variations.

What tools can be used to perform a dictionary attack?


Dictionary attacks are employed to assess the strength of passwords and identify potential vulnerabilities. Here are some tools commonly used by penetration testers to perform dictionary attacks:

  • Hydra: A parallelised login cracker that supports numerous protocols such as HTTP, FTP, SMTP, and more.
  • John the Ripper: A fast password cracker available for many operating systems. It combines several cracking modes and is often used to detect weak passwords in a corporate environment.
  • Medusa: A speedy, parallel, and modular login brute-forcer. It is designed to be flexible and allows for the addition of new modules for different services.
  • Hashcat: Known as one of the fastest password recovery tools. It supports many hashing algorithms and can utilise GPU acceleration to increase cracking speed.
  • Cain & Abel: A password recovery tool for Windows that can perform dictionary attacks, brute-force attacks, and cryptanalysis attacks.
  • Ncrack: A high-speed network authentication cracking tool. It is used to assess network security by testing various protocols like SSH, RDP, and FTP.
  • Aircrack-ng: A suite of tools to assess Wi-Fi network security. It focuses on key cracking by capturing packets and performing dictionary attacks against WEP and WPA/WPA2-PSK keys.
  • THC Hydra: Like Hydra, it’s a network login cracker supporting many different services and can perform quick dictionary attacks.
  • CeWL: A custom wordlist generator that spiders a target website to create unique wordlists for use in dictionary attacks.
  • Ophcrack: A Windows password cracker based on rainbow tables can also perform dictionary attacks to recover passwords.

Key Characteristics:

  • Systematic guessing of passwords from a pre-compiled list
  • Typically faster than brute force attacks that try all possible combinations
  • Relies on the tendency of users to choose common words or simple passwords
  • Can be mitigated by using complex, non-dictionary words and implementing account lockout policies

Examples:

  • Real-World Example: A notable instance of a dictionary attack occurred in 2012 when LinkedIn suffered a data breach. Attackers were able to gain access to millions of accounts by using dictionary attacks on passwords that were hashed but not salted, making them easier to guess.
  • Hypothetical Scenario: An attacker targets a company’s email system and attempts to guess the CEO’s password using a dictionary list, which includes combinations of common passwords and terms related to the CEO’s personal interests gathered from social media research.

Related Terms:

  • Brute Force Attack: A method of trial-and-error to guess login info, encryption keys, or find a hidden web page, which is more exhaustive and less efficient than a dictionary attack.
  • Password Complexity: A set of rules dictating the creation of passwords, which, if robust, can significantly reduce the risk of dictionary attacks.
  • Account Lockout: A security response wherein a user’s account is blocked after a certain number of failed login attempts, preventing continued dictionary or brute force attack attempts.
  • Leaked Password Database: Previously compromised account credentials that are often used to formulate password lists for dictionary attacks.

Related Services:

What is the OWASP Top 10: Download our flash cards to find out.

Inside you will find a description of the most common web vulnerabilities.

Contact us

Get a free, no obligation quote from one of our expert staff.

      Looking for reliable Penetration Testing? Use the contact form below and request a quote today.

      Address

      Fusion Hive
      North Shore Road
      Stockton-on-Tees
      North East
      UK
      TS18 2NB

      Resources

      Glossary Careers Privacy Policy Contact Us

      Penetration Testing

      Penetration Testing Web App Penetration Testing Network Penetration Testing Mobile App Penetration Testing Social Engineering API Penetration Test GDPR Penetration Test VAPT

      Security Assessments

      Security Assessments Vulnerability Assessment Red Team Assessment AWS Cloud Security Review Microsoft Cloud Security Review OSINT Assessment Cyber Awareness Training
      01642716680 office@sencode.co.uk
      Trustpilot

      © 2024 Sencode Limited | Company Registration Number 12265595 | VAT Number 366 0145 11 | All Rights Reserved