Dictionary attack definitionA dictionary attack is a brute-force technique where attackers run through common words and phrases, such as those from a dictionary, to guess passwords. The fact people often use simple, easy-to-remember passwords across multiple accounts means dictionary attacks can be successful while requiring fewer resources to execute.\u201cA dictionary attack is a type of brute-force attack, but it uses a predefined list of passwords that would have a higher probability of success,\u201d says Deral Heiland, IoT research lead, Rapid7. \u201cThis dictionary list could contain things such as regional sports teams names, team member names, names related to the organization being attacked, commonly used passwords often containing \u2018spring,\u2019 \u2018summer,\u2019 \u2018winter\u2019 and \u2018autumn\u2019 and variations of all those modified to meet password requirements.\u201dWhat\u2019s the difference between dictionary and brute-force attacks?Where traditional brute-force attacks try every possible combination systematically to break through authentication controls, dictionary attacks uses a large but limited number of pre-selected words and phrases. Not going through every possible combination reduces the likelihood that a difficult password will be guessed correctly, but a dictionary attack requires less time and resources to execute.\u201cA password dictionary list is typically built specifically for the target under attack,\u201d says Heiland. \u201cFor example, if the targeted organization was called London Widgets located in London, then the predefined target list would contain variations of words potentially related to the organization under attack and London area or regional subject matter such as \u2018Westminster,\u2019 \u2018ChelseaFC1990,\u2019 \u2018SouthBank2020\u2019 or \u2018CityOfLondon2020,\u2019\u201dMany tools used for dictionary attacks include common passwords taken from security breaches leaked online and common variants of certain words and phrases, such as substituting \u2018a\u2019 with \u2018@\u2019 or adding numbers to the end of passwords.What threat actors do once they have access to an account depends on their intended goal and how much access that account can provide, but could include stealing personal data, payment information, or intellectual property, or conducting further attacks on an organization. \u201cThe end game is to breach the organization, escalate rights and move laterally to eventually compromise critical information such as personally identifiable information (PII) and financial data,\u201d says Heiland.How successful are dictionary attacks?The fact that people often reuse passwords, vary preferred passwords slightly, and don\u2019t change them in the wake of breaches means this type of attack can be easy to execute and likely to succeed given enough time and attempts. The 2019 Verizon Data Breach Investigations Report (DBIR) suggests that stolen and reused credentials are implicated in 80% of hacking-related breaches.\u2018Password,\u2019 \u201812345,\u2019 and \u2018QWERTY\u2019 have remained at the top of leaked password lists for years, showing that despite being repeatedly told, people are happy to continually use poor passwords that attackers can easily guess. Keyboard runs, common names, animals and simple phrases such as \u2018iloveyou\u2019 and \u2018letmein\u2019 also regularly appear on such lists. The UK\u2019s National Cyber Security Centre (NCSC) recently put out a blog asking football fans not to use their favorite teams as passwords because team names often appear password lists.According to the Balbix State of Password Use Report 2020, around 99% of users reuse passwords, and the average user has around eight passwords shared between accounts, both between work and personal accounts and within various internal company accounts. Security.org\u2019s Online Password Strategies survey found that nearly 70% of people tweak existing passwords when creating new ones. The 2019 State of Password and Authentication Security Behaviors Report from Yubico and Ponemon found 69% of people share passwords with others in the workplace. It also found just over half don\u2019t change their password behavior after an incident.\u201cI know from personal experience while conducting paid security assessments that I have compromised hundreds of businesses using [dictionary attacks],\u201d says Heiland.How to defend against dictionary attacksGiven that dictionary attacks rely on words commonly used as passwords, a strong defense against them is a good password policy. Encourage users to create unique passwords -- ideally a combination of random words with symbols and numbers -- not to reuse or share them, and ensure they are changed if there is a compromise. Password managers provide a more automated way to keep strong passwords without requiring users to remember them.\u201cOne of the best methods for reducing the success of this style of attack is to train people to move away from short passwords and start using passphrases,\u201d advises Heiland. \u201cPassphrases are often easy to remember and virtually impossible to guess. For example, picking a passphrase such as \u2018I want to play cricket for England\u2019 and then randomly alter it with uppercase, numbers or special characters: \u2018! want TO Play cr1cket 4 Engl4nd$,\u2019\u201d\u201cAnother added improvement I often recommend is to make sure usernames do not match the email address syntax,\u201dHeiland says.Other mitigation controls include:Set up multi-factor authentication where possible.Use biometrics in lieu of passwords.Limit the number of attempts allowed within a given period of time.Force account resets after a certain number of failed attempts.Rate-limit the speed of password acceptance to increase the time and resources needed for attackers to guess the password.Include Captchas to prevent automated log-in attempts.Ensure passwords are encrypted so they are less likely to be leaked.Restrict common words or passwords from being used. The NCSC publishes a list of common passwords that shouldn\u2019t be allowed.