What is a password dictionary attack?

A password dictionary attack is a brute-force hacking method used to break into a password-protected computer or server by systematically entering every word in a dictionary as a password. This attack method can also be employed as a means to find the key needed to decrypt encrypted files.

While using words in the dictionary, as well as any derivatives of those words known as leetspeak (character replacement with alphanumeric and non-alphanumeric characters) is common, the dictionary in these types of attacks can also be a collection of previously leaked passwords or key phrases.

Who is at risk?

It is estimated that around 80% of people re-use their passwords across online platforms including social media, personal banking, and even work-related systems. While this may seem like a good way to help remember your passwords for important accounts, it is actually leaving you vulnerable to a data breach.

No one understands this more than Facebook CEO, Mark Zuckerberg, who had his social media accounts compromised – including Twitter, where hackers tweeted from his account. The hackers revealed that the famous CEO’s password had been compromised in the LinkedIn data breach. His password for his LinkedIn account, dadada, was also used for his Twitter and other compromised social media accounts.

These types of attacks can have huge ramifications for your business. Dropbox suffered a breach in 2012 that stemmed from an employee using the same password for LinkedIn that they used for their corporate Dropbox account. Instead of some careless tweets from a hacker, this breach resulted in the theft of 60 million user credentials.

How to prevent a password dictionary attack?

The length of the password is an effective defense against brute-force attacks. The best strategy for creating a long password, that is also memorable, is to make it a passphrase. A passphrase is a sentence or phrase, with or without spaces, typically more than 20 characters longer. The words making up a passphrase should be meaningless together to make them less susceptible to social engineering. But a passphrase is only a good choice when it doesn’t appear on a list of leaked passwords.

Blocking these leaked passwords is an effective way to protect your organization from falling victim to a password dictionary attack. Cybersecurity expert Troy Hunt manages one of the largest collections of leaked passwords on his site HaveIBeenPwned where you can personally search to see if your credentials have ever been leaked.

Another critical measure to prevent a dictionary attack is to stop password reuse between different password-protected systems. User training can help educate on the importance of not reusing passwords. However, the only way to remove this possibility is to block leaked passwords at password creation.

(Last updated on January 18, 2021)

Tags: ,

Back to Blog

Related Articles

  • Password dictionary overview and best practice

    As long as users continue using common/predictable passwords, dictionary attacks will continue to work. Hackers are not the only ones who can take advantage of password predictability. The best protection against a dictionary attack is using a dictionary during the password creation process. This means checking future passwords against such dictionaries, and preventing users from…

    Read More
  • NIST password compliance guidelines – What they are and how you can meet them

    The new password guidelines from National Institute of Standards and Technology (NIST) are changing how companies and organizations view password security. The guidelines say: Do allow for longer passwords and choosing original secret questions, Don’t allow users to choose a password from a compromised list, or force password expiration without cause. These changes aim to…

    Read More
  • Password Strength Meters – more harm than good?

    Fact one, passwords are here to stay, at least for the near future. Fact two, users have not gotten any better at making them stronger, or using additional factors during authentication. To help users with this seemingly impossible task, many web services offer a password strength meter during the account signup process. With its uncanny…

    Read More