Everybody knows that their passwords should be complex. You shouldn’t include personal information like your birth month, hometown, or name. Otherwise, hackers could quickly scan our social media pages and guess our login credentials.

However, even seemingly random and safe words like “platypus” or “wormhole” can be easily broken, not to mention the cliché options like “password.” A dictionary attack is a standard tactic hackers use to crack word-based passwords.

What is a Dictionary Attack?

Dictionary attacks essentially throw a book at the problem. A program methodically goes through words from a dictionary until it guesses the correct password. Many dictionary attacks are customized to go through specific words, phrases, and variations before taking the random route. Some prioritized terms may include:

• Fictional characters (Harry Potter, Zeus, James Bond, etc.)
• Pet names
• State capitals

Starting with commonly used options is a way to bypass a system’s security measures. If the hacker attempts a wrong password too many times, then their attempts may be flagged and notify the legitimate account holder.

These attacks aim to break into online accounts and steal information. This can lead to identity theft, financial impersonation, and even corporate espionage. However, most websites nowadays require a combination of special characters, numbers, and letters in passwords, which makes dictionary attacks far less effective.

In response, hackers have also repackaged dictionary attacks for use in file decryption. Users don’t put the same emphasis on beefing up the passwords of protected files since those are typically one-time transfers. If those files are intercepted in transit, a dictionary attack would have a much higher chance of breaking in than social media or email passwords.

Brute-Force Vs. Dictionary Attacks

Brute force attacks are another method to guess a password. The tactic relies on immense computing power to input millions of password combinations in a matter of seconds. A brute force attack takes all possible symbols, letters (lowercase and uppercase), and numbers and arranges them in every conceivable pattern. 

Dictionary attacks are a subclass of brute force attacks restricted to complete words. A dictionary attack may use special characters like “@” or “!” but only when those characters are commonly used to replace a specific letter. For example:

p@ssword = password

!ntriguing = Intriguing

Despite brute force attacks being far more encompassing than dictionary attacks, they are relatively simple to defend against. Adding a single character to a password exponentially increases the number of possibilities the program has to guess. Modern computers can break an 8-character password in a few seconds but would require millions of years to guess one that’s 12 characters or longer.

Why Are Dictionary Attacks Popular?

Reused passwords are the bane of online security. If you use the same password for multiple accounts, then a dictionary attack only needs to succeed once to uproot your entire life. It’s also important that even when people change their password, they’re frequently only adjusting one or two characters, which doesn’t do much to improve your security.

Additionally, reports show that nearly 20 percent of passwords are compromised. This is due to either individual hacking or large-scale breaches, but it’s a huge problem. That 20 percent gives hackers millions of data points to figure out what words are most commonly used in passwords. AKA: What words to guess first.

Cybernews even compiled a list of the most repeated password phrases and combinations in 2023. These passwords are not only useful for dictionary attacks but also for other brute-force attacks like password spraying.

How to Defend Against Dictionary Attacks

Dictionary attacks aren’t hard to pull off and should be a fundamental concern of any cybersecurity worker. Organizations can defend against attacks by implementing additional barriers like captchas and multi-factor authentication to snuff out the danger of brute-force and dictionary attacks.

Note: Multi-factor authentication is significantly weakened if the compromised account uses the same or similar password for its email service. Make sure to use vastly different passwords for the main accounts and accounts used for verification. 

Aside from protecting individual users, IT professionals need to prepare for when a dictionary attack is successful. This means preventing the intruder from stealing additional information after gaining access. Companies can minimize lost data by restricting access permissions based on an employee’s needs. They should also encrypt all stored passwords so the breach doesn’t expand any further.

An individual user’s best bet is to employ a password manager. These nifty programs do it all for you. They save your login credentials for autofill, generate complex and strong passwords, and track which passwords may have been compromised.

Some people worry that a password manager puts all their passwords in one place and exposes them to danger. However, popular options all come equipped with military-grade encryptions and security measures. Many browsers have a password manager extension already pre-installed, but third-party options exist for anyone wanting more control.

If, for some reason, you still don’t want to rely on a password manager, then you can protect yourself by following these rules:

• Use 12 or more characters
• Include a mix of uppercase and lowercase letters
• Don’t use complete words or number sequences (dates, years, addresses)
• Use AT LEAST one unique character

Protect Yourself with Strong Passwords

Hopefully, this post has convinced you of the dangers of dictionary attacks and how to avoid them. The most present threat to your online safety is a lack of proactivity. Creating unique passwords for every account may seem complicated, but it’s more manageable than you think, especially if you use a password manager.

Stay updated on current data breach news if you want to go the extra mile. You never know when one of your most-visited sites will become compromised, and you need to change your login credentials. InfoPay even has dark web tracking services that can inform you when your information is on sale and guide you through the following steps!