What Is a Dictionary Attack and How Can You Prevent It?

There are a lot of words in the dictionary, and Webster’s international dictionary has a word count of 476,000 entries. This is a large number of entries and of course, you would have only heard and used about half of it. Hackers go through the pain of using dictionary words in trying to break into your system. Common victims are those who use common dictionary words as passwords. And so with the use of the right process, hackers can carry out a dictionary attack and steal your data and money as well.

A study showed that most people reuse their passwords for multiple accounts. These passwords are mostly easy-to-remember phrases for easy remembrance. Hackers have databases when carrying out dictionary attacks, and the database is made up of commonly used dictionary words. It also contains old passwords that have been leaked in other attacks since people tend to reuse their passwords.

dictionary attack

What Is Dictionary Attack?

A dictionary attack is a type of cybersecurity attack in which passwords are guessed by entering dictionary words to break into an account or computer. This attack is based on the fact that most people prefer to use easy and simple to remember passwords for multiple accounts.  While it is convenient for the user, it poses a risk as the password can easily be guessed and the computer or account hacked using only a few resources.

Dictionary attacks follow different processes. While some only systematically try commonly used passwords and phrases, others check the entire dictionary. Examples of commonly used passwords include ‘password’, ‘123456’, ‘qwerty’, and also ‘iloveyou’. These passwords are used by many internet users around the world. So if yours is the same as any of these you should promptly change it.

Because of the ease at which your system or account can be broken into, with the use of such easy to guess passwords, many systems prevent their use. Systems now help you choose a strong password by making it compulsory to use a combination of numbers, uppercase and lowercase letters, and special characters. This doesn’t mean you should use ‘password123$’ as it can easily be cracked.

Success Rate of Dictionary Attacks

Dictionary attacks have a high success rate if given enough time and trial attempts. This is because a lot of people use easy-to-remember passwords across multiple accounts and don’t change them even when there is a security breach.

Passwords such as ‘password’ and ‘123456’ are among those that are most commonly leaked due to their high usage. The use of names and common phrases as passwords are also commonly leaked as the majority of internet users share such passwords. Most people also use their date of birth, favorite football teams, amongst others as their passwords. The UK’s National Cyber Security Center (NCSC) advised that football fans desist from using their favorite teams as their passwords because it’s among the most commonly leaked passwords.

A survey by security.org shows that almost 70% of people slightly alter their old passwords when creating new ones making it easy to break into all their accounts. In another survey on The State of Password and Authentication Security Behaviors by Yubico and Ponemon, 69% of people have similar passwords with others in the workplace. Balbix reported on the state of password use and they stated that an average user has about 8 passwords that are shared across all their accounts. This includes both work and personal accounts.

Brute Force and Dictionary Attack

Both brute force and dictionary attacks aim at revealing your password to the attacker. The difference however lies in the process involved.

Dictionary attacks systematically try a list of preselected words to gain access to your account or computer. Brute attacks on the other hand are more extensive and try every combination of special symbols, letters, and numbers.

Most times, the software is used in a brute force attack. It starts with the most likely password options. Since uppercases are mostly used as the first letter of a password, it is used as the first letter where an uppercase is a requirement. Due to the extensive process involved in brute force attacks, they take a long time and rely heavily on computing power.

Types of Passwords That Are Prone to Dictionary Attack

When attempting to break into your device or account, hackers take into account the common combinations that most people use when creating passwords. They combine word lists with commonly used password lists which include:

  • Words that are gotten from a different database such as names of places, words from myths, cartoon characters, names, books, and films.
  • Word pairs
  • Variations of names, initials, bank account name, address, phone number, pet’s name, and other personal information
  • Variations in spellings of common words such as movie title, books, places, myths, etc. the variations could also include the replacement of the letter ‘o’ with the number ‘0’

Online Attacks and Offline Attacks

Both dictionary attacks and brute force attacks can be conducted online and offline. Online attacks are however less dangerous as you are more likely to find out that someone is trying to break into your account. Also, there is a limited number of password trials.

Offline attacks on the other hand have a higher chance of success as they are 1000 to 1,000,000 times faster than online attacks. They have a database with stolen passwords to try. They also have time to attempt breaking into the system. So this type is more successful compared to online attacks.

How A Dictionary Attack Is Carried Out

A dictionary attack is carried out successfully after careful research has been conducted on the victim. The success however depends on the type of password the victim is using. If you make use of your name, pet’s name, favorite author, or movie character as your password, it would be easy to carry out a dictionary attack on you. This is even easier if your social media accounts contain such personal information that could give a clue to your password.

Key elements of a dictionary attack –

  • Research around the victim
  • Common names the victim uses as password
  • Information shared on social media
  • Using the same passwords for multiple accounts
  • Using common terms as password
  • Access to a password cracking software

Some hackers use special software to help crack complex password combinations. They create variations of potential passwords and check to see that they match your actual password. The software has high efficiency and breaks passwords rapidly.

Preventing Dictionary Attacks

Use A Strong Password

Strong passwords are usually long and contain a combination of upper and lowercase letters, numbers, and special characters. Anything under 12 characters long isn’t considered a strong password. Strong passwords aren’t easy to remember, but you can solve this problem by using a password manager.

When you use a strong password, hackers find it more difficult to break into your account. It takes more trials and entry and also gives you the chance to salvage the situation before they succeed. 

Change Your Passwords Regularly

When data breaches occur, passwords get stolen and are stored in a database by hackers. With such data, it would be easier to break into your account. That’s why you need to change your password regularly to reduce the chances of successful break-in attempts into your account. Also, avoid using the same password for all your accounts. Use unique passwords instead and change them regularly.

Limit The Information You Provide On Social Media

Your social media is a treasure house for personal information about you. Hackers carry out adequate research before creating a list of possible passwords. This list would include your favorite teams, movies, pets, places, etc. as gotten from your profile on social media. This data helps them break into your account easily.

Use Separate Passwords for Different Accounts

With a single password for all your accounts, hackers only need to crack one to gain access to all your accounts. And so to prevent this, and improve your security, use different passwords for each account you have online. This way, a security breach to one doesn’t make other accounts vulnerable.

Password Policy to Counter Brute Force Attack

Complying with a strong password policy is important in preventing a brute force attack. Bear in mind that using words from the dictionary may be easy to remember, but they are very weak passwords. The length of your password is also a criterion to determine the strength of your password.  A long password would be more difficult to guess when compared to a short one.

When choosing a strong password to prevent brute force attack, the following guidelines would help:

  • It must have special characters
  • It should contain numbers
  • It should have a mix of both upper and lower cases
  • The password length should be at least 7 characters


The rate of dictionary attacks is on the rise because of the types of passwords people use. Using weak passwords, or the name of your pet, favorite author, movie character and other personal information makes it easy for your account to be hacked. Using one password for all your accounts also puts your accounts at risk. You can make it difficult for hackers and ultimately prevent dictionary attacks by using strong and unique passwords for each account.