What is meant by a dictionary attack?
In a dictionary attack, hackers use automated tools to systematically try out a large number of predefined possible passwords in a short period of time. These passwords are typically extracted from a predefined dictionary containing words, phrases and characters. The attackers rely on the fact that many people choose weak passwords that can be easily guessed using this method. The combination with additional automated rules, such as the insertion of special characters and numbers, further increases the probability of success of a hacker attack, as more and more users are combining a simple word with numbers and/or special characters for their password.
The dictionary attack is a method that can be used for both web services and local computer systems. There are two main variants of this attack technique:
-
Online dictionary attack: In this variant, the hacker attempts to log in to the target system (website, app, etc.) repeatedly using different entries from a list of possible passwords. He tries this until he has found the correct password. This process can be made considerably more difficult by the provider using security measures. These include auto-lock-out (locking out after e.g. 3 failed attempts), rate limiting (slowing down access after too many accesses within a certain time) or captchas. However, there is usually also a natural protection mechanism here, as the attackers are slowed down simply by the fact that they have to communicate with servers via the Internet, whereby the Internet connection itself is limited, but also how many requests the target system can process at the same time.
-
Offline dictionary attack: In this case, the attacker has direct access to the target without any further security measures in between (as with the online version). This can be, for example, a database with usernames and hashed passwords, an encrypted hard disk or even a password-protected ZIP archive. Due to the fact that neither a provider can activate extra protective measures nor that other factors such as Internet connections or similar can represent a barrier, the only limiting factors for success and speed in this procedure are often the hardware and method used.
Both methods aim to gain unauthorized access by systematically trying out words and passwords.
In today's digital world, the dictionary attack is a common and popular tactic used by hackers to crack passwords, take over accounts and gain access to sensitive information, alongside other attack methods such as the brute force attack, password spraying or credential stuffing.
Contrary to the brute force method, the use of the dictionary method can of course only lead to success if users also use passwords that exist in the dictionary. While attackers cannot crack secure complex passwords with the dictionary method, they can still successfully attack many poorly protected user accounts (e.g. when using names, animals, dates of birth) much faster than with the brute force method.
The hackers' approach to the dictionary attack
Hackers use different approaches to carry out dictionary attacks.
The practice of trying out millions or billions of possible username and password combinations to gain access to other people's accounts is often made possible by automated tools or specially developed scripts. This maximizes the number of operations performed per unit of time and increases the probability of successful access. As this approach is often time-consuming, many attackers also prefer to use specialized dictionaries that are tailored to specific user types or industries. Another approach is to carry out so-called hybrid attacks, in which words from the dictionary are combined with numbers, special characters or other variants. This method significantly increases the chances of a successful attack and makes it more difficult to defend against.
Protective measures against dictionary attacks
Even if there is no perfect protection against hacker attacks, the probability of success of dictionary attacks can at least be reduced to a negligible minimum. The following security measures on the user and provider side help to provide the best possible protection against dictionary attacks:
-
Use strong passwords: The simplest but most effective protection against dictionary attacks is the use of strong passwords. People often think of long passwords with lots of special characters, numbers and letters. However, complexity is important, and this can even be easily memorized. You can find out more about this in our article Password Length vs. Password Complexity: Or should it be Password Strength?
-
Use unique passwords: To personally minimize negative effects of an attack, a user should use a separate password for each user account. This procedure prevents the hacker from using a compromised password for authentication on other login pages of the user.
-
Using a password manager: With a password manager, users can securely store and manage their login data. Some of these tools are also able to generate random and secure (strong) passwords. Advanced tools can also check existing passwords for strength and whether they have already been compromised. Password managers are available as browser extensions or stand-alone apps/software. You can find out more about this in our article Should I use a Password Manager or the One-Password Solution.
-
Two-factor or Multi-factor Authentication (2FA/MFA): The implementation of 2FA/MFA by the provider is an additional layer of security that makes access to an online account considerably more difficult. This is because even if an attacker guesses the password, they also need a second authentication factor, such as a One-Time code (OTP), which is generated in an authenticator app, for example.
-
Implement password policies: Organizations should establish clear password policies that require the use of strong passwords. This may include the length of the password and the use of different character types. However, regular password changes should no longer be made (as long as the password has not been compromised), as this will only encourage users to use less strong passwords.
-
Use a lock-out function: The lock-out function is probably one of the most efficient protection functions offered by access providers today. This ensures that the account is temporarily blocked if a predefined number of login attempts fail and is therefore effective protection against dictionary attacks.
-
Monitoring and alarms: An effective monitoring system can detect suspicious activity and alert users or administrators when repeated failed login attempts occur. This enables a quick response and account blocking in the event of suspicious incidents.
Conclusion
Dictionary attacks are a constant threat in the world of cybersecurity. However, by making users, companies and organizations aware of strong passwords and implementing basic, additional layers of security and proactively responding to suspicious activity, the likelihood of a successful dictionary attack can be all but eliminated. The IT security landscape is constantly evolving, and it is imperative that all IT managers stay up to date to defend against new methods of attack.