A dictionary attack is a method used to access a password-protected account. The target can be a local computer system or a web service. The passwords used for the attack are usually extracted from a predefined dictionary, but specialized dictionaries may also be used depending on the target.
Another tactic is to add numbers and special characters to the words, since many passwords now consist of more than just letters . However, the attacker must also decide whether to use an online or offline dictionary attack.
In the online variant, the attempted login is made directly in the target system, which is often an online form. The limiting factor for the attacker is the access solution provider, who can limit the number of login attempts with security measures such as lock-out functionality. Rate-limiting, or captchas can also slow down the attacker.
In the offline variant, the attacker has direct access to an encrypted device, such as an external hard drive, or access to a user database containing the hashed passwords. The limiting factor in this case is the software and hardware used by the attacker for the hack.
In both cases, the aim is to try as many dictionary passwords as possible in the shortest amount of time in order to gain unauthorized access. In contrast to a brute force attack, the attack is usually carried out more quickly due to the smaller number of possible passwords. However, this method is only successful if the users employ passwords that appear in the dictionary used. Therefore p, typical passwords such as names or dates of birth are particularly easy to find.
