Dictionary attack – what it is and how to successfully defend against it

We as users trust companies and service providers to protect our data. We hope that they leave no backdoors in their software, properly train their employees, and do not store usernames and passwords in unencrypted format.

But everything is not as simple as it might seem. Cybersecurity attacks can affect anyone and can sometimes make it difficult to protect yourself or your business. One of the most common types of attack is the so-called dictionary attack. In this article, we’ll take a look at what a dictionary attack is and how to easily prevent one.

What is a dictionary attack?

A dictionary attack is a systematic method of detecting a password by trying common words and their simple variants. Attackers use large lists of commonly used passwords, popular pet names, fictional characters or common dictionary words – hence the name of the attack. The dictionary attack also counts on users changing some letters to uppercase, for example, but also replacing letters with special characters. Thus, the word “password” can become “P@ssw0rd”. Due to the computational capabilities of computers, trying all possible variants is not a problem.

Hackers use this attack to gain access to online accounts, but also to decrypt them. Most people have made at least some effort to secure their email inboxes or social networking accounts. However, they choose simple and easy-to-remember common words, which plays into the hands of dictionary attacks that guess these passwords quite easily.

How does a dictionary attack work?

During a dictionary attack, a program systematically enters words from a list as passwords to gain access to a system, account or encrypted file. A dictionary attack can be performed both online and offline.

In an online attack, the attacker repeatedly attempts to log in or gain access like any other user. This type of attack works better if the hacker has a list of likely passwords. If the attack lasts too long, it may be noticed by the system administrator or the original user.

Attackers tend to be very clever and find out private information about users. This is not a problem given the prevalence of social networks. The likelihood of guessing passwords increases because they can more easily try passwords such as birth dates, anniversaries, as well as the names of pets, parents or partners. Any such private information should not appear in passwords, and certainly not as a full password.

What is the difference between a brute force attack and a dictionary attack?

Brute force attacks are also used to guess passwords. They mostly rely on the computing power of the attacker’s computer. During a brute force attack, the program also automatically enters combinations of letters, symbols and numbers, but in this case they are completely random

There are hundreds of thousands word roots in the English language, so in practice tens of millions of word variants if prefixes, suffixes and inflections are included. However, tens of millions of variants are not difficult for computers to decipher.

Whereas a brute force attack would randomly try to enter a jumble of characters, a dictionary attack is much more systematic and efficient because many entries are made up of words. In principle, it is also a brute force attack, but it takes into account the information and tendencies of the users.

If the password is not composed of common words, the dictionary attack will not work, and a brute force attack must come into play, however, if you choose a long password, we recommend at least 12 characters, then this attack will also burn.

This doesn’t mean that an attacker will never get to the passwords, as they can take advantage of phishers or keyloggers, but that typically already requires user inattention.

How to prevent a dictionary attack?

Online attacks can be stopped relatively easily. Sites or applications typically use captchas, can implement mandatory two-factor authentication, and most importantly limit how many times a single user can try to log in before their account is locked. This way, an attacker actually only has units of login attempts, which makes brute force attacks very successful to repel.

But what can you do as a user to prevent your accounts from being hacked? Most importantly – don’t be predictable. The best passwords are words that have no meaning to the general public. Keep in mind that one very long word is not a very strong password again. It doesn’t matter whether you choose “anodontosaurus” (which is a real dinosaur) or “cat” as your password. It takes the computer the same amount of time to try either one.

So create new words, use special characters or, best of all, use random strings of upper and lower case letters, symbols and numbers.

Use a password manager like NordPass to store all your passwords securely. Only you will have access to them, so you can rest assured that your online accounts are safe.

Related Articles

Back to top button