Contact Us Today 01642 716680

Dictionary Attack

Definition: A dictionary attack is a method of cyber attack that uses a pre-arranged list of potential passwords, which is often derived from words found in a dictionary or from previously leaked password databases, to systematically guess and gain unauthorised access to user accounts.

The relevance of a dictionary attack in cyber security stems from the common and risky practice among users of selecting weak and easily guessable passwords, which often consist of ordinary words or popular password combinations. These types of passwords are susceptible to being quickly compromised through dictionary attacks, where an attacker automates the process of entering many possible passwords with the hope that one will match. One popular resource used by security professionals is SecLists, which contains a plethora of pre-defined wordlists.

Dictionary attacks are typically less complex and less time-consuming than brute force attacks, which try every conceivable password combination. Instead, by relying on the likelihood that users’ passwords are simple or commonly used phrases or words, attackers using dictionary attack methods can achieve access without needing significant computational power or time.

To mitigate the risk of dictionary attacks, it is advisable that users select complex, unique passwords that are not simple words or easily anticipated sequences. Additionally, organisations may enforce policy measures such as mandatory password complexity, periodic password changes, and account lockout mechanisms after a certain number of incorrect attempts.

Key Characteristics:

  • Systematic guessing of passwords from a pre-compiled list
  • Typically faster than brute force attacks that try all possible combinations
  • Relies on the tendency of users to choose common words or simple passwords
  • Can be mitigated by using complex, non-dictionary words and implementing account lockout policies


  • Real-World Example: A notable instance of a dictionary attack occurred in 2012 when LinkedIn suffered a data breach. Attackers were able to gain access to millions of accounts by using dictionary attacks on passwords that were hashed but not salted, making them easier to guess.
  • Hypothetical Scenario: An attacker targets a company’s email system and attempts to guess the CEO’s password using a dictionary list, which includes combinations of common passwords and terms related to the CEO’s personal interests gathered from social media research.

Related Terms:

  • Brute Force Attack: A method of trial-and-error to guess login info, encryption keys, or find a hidden web page, which is more exhaustive and less efficient than a dictionary attack.
  • Password Complexity: A set of rules dictating the creation of passwords, which, if robust, can significantly reduce the risk of dictionary attacks.
  • Account Lockout: A security response wherein a user’s account is blocked after a certain number of failed login attempts, preventing continued dictionary or brute force attack attempts.
  • Leaked Password Database: Previously compromised account credentials that are often used to formulate password lists for dictionary attacks.

What is the OWASP Top 10: Download our flash cards to find out.

Inside you will find a description of the most common web vulnerabilities.

Contact us

Get a free, no obligation quote from one of our expert staff.