A targeted form of brute force attack, dictionary attacks run through lists of common words, phrases, and leaked password to gain access to accounts. Credit: WhataWin / Bigmouse108 / Getty Images Dictionary attack definitionA dictionary attack is a brute-force technique where attackers run through common words and phrases, such as those from a dictionary, to guess passwords. The fact people often use simple, easy-to-remember passwords across multiple accounts means dictionary attacks can be successful while requiring fewer resources to execute.“A dictionary attack is a type of brute-force attack, but it uses a predefined list of passwords that would have a higher probability of success,” says Deral Heiland, IoT research lead, Rapid7. “This dictionary list could contain things such as regional sports teams names, team member names, names related to the organization being attacked, commonly used passwords often containing ‘spring,’ ‘summer,’ ‘winter’ and ‘autumn’ and variations of all those modified to meet password requirements.”What’s the difference between dictionary and brute-force attacks?Where traditional brute-force attacks try every possible combination systematically to break through authentication controls, dictionary attacks uses a large but limited number of pre-selected words and phrases. Not going through every possible combination reduces the likelihood that a difficult password will be guessed correctly, but a dictionary attack requires less time and resources to execute.“A password dictionary list is typically built specifically for the target under attack,” says Heiland. “For example, if the targeted organization was called London Widgets located in London, then the predefined target list would contain variations of words potentially related to the organization under attack and London area or regional subject matter such as ‘Westminster,’ ‘ChelseaFC1990,’ ‘SouthBank2020’ or ‘CityOfLondon2020,’” Many tools used for dictionary attacks include common passwords taken from security breaches leaked online and common variants of certain words and phrases, such as substituting ‘a’ with ‘@’ or adding numbers to the end of passwords.What threat actors do once they have access to an account depends on their intended goal and how much access that account can provide, but could include stealing personal data, payment information, or intellectual property, or conducting further attacks on an organization. “The end game is to breach the organization, escalate rights and move laterally to eventually compromise critical information such as personally identifiable information (PII) and financial data,” says Heiland. How successful are dictionary attacks?The fact that people often reuse passwords, vary preferred passwords slightly, and don’t change them in the wake of breaches means this type of attack can be easy to execute and likely to succeed given enough time and attempts. The 2019 Verizon Data Breach Investigations Report (DBIR) suggests that stolen and reused credentials are implicated in 80% of hacking-related breaches.‘Password,’ ‘12345,’ and ‘QWERTY’ have remained at the top of leaked password lists for years, showing that despite being repeatedly told, people are happy to continually use poor passwords that attackers can easily guess. Keyboard runs, common names, animals and simple phrases such as ‘iloveyou’ and ‘letmein’ also regularly appear on such lists. The UK’s National Cyber Security Centre (NCSC) recently put out a blog asking football fans not to use their favorite teams as passwords because team names often appear password lists.According to the Balbix State of Password Use Report 2020, around 99% of users reuse passwords, and the average user has around eight passwords shared between accounts, both between work and personal accounts and within various internal company accounts. Security.org’s Online Password Strategies survey found that nearly 70% of people tweak existing passwords when creating new ones. The 2019 State of Password and Authentication Security Behaviors Report from Yubico and Ponemon found 69% of people share passwords with others in the workplace. It also found just over half don’t change their password behavior after an incident.“I know from personal experience while conducting paid security assessments that I have compromised hundreds of businesses using [dictionary attacks],” says Heiland.How to defend against dictionary attacksGiven that dictionary attacks rely on words commonly used as passwords, a strong defense against them is a good password policy. Encourage users to create unique passwords — ideally a combination of random words with symbols and numbers — not to reuse or share them, and ensure they are changed if there is a compromise. Password managers provide a more automated way to keep strong passwords without requiring users to remember them.“One of the best methods for reducing the success of this style of attack is to train people to move away from short passwords and start using passphrases,” advises Heiland. “Passphrases are often easy to remember and virtually impossible to guess. For example, picking a passphrase such as ‘I want to play cricket for England’ and then randomly alter it with uppercase, numbers or special characters: ‘! want TO Play cr1cket 4 Engl4nd$,’” “Another added improvement I often recommend is to make sure usernames do not match the email address syntax,”Heiland says.Other mitigation controls include:Set up multi-factor authentication where possible.Use biometrics in lieu of passwords.Limit the number of attempts allowed within a given period of time.Force account resets after a certain number of failed attempts.Rate-limit the speed of password acceptance to increase the time and resources needed for attackers to guess the password.Include Captchas to prevent automated log-in attempts.Ensure passwords are encrypted so they are less likely to be leaked.Restrict common words or passwords from being used. The NCSC publishes a list of common passwords that shouldn’t be allowed. Related content news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Advanced Persistent Threats Advanced Persistent Threats news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe