Dictionary Attack

What is a Dictionary Attack?

A password remains the most common way of locking an account. It is better than biometric verification because the secret lies in your mind, which is not easy to get a hold of compared to something like a fingerprint. But despite the password’s role in preventing authorized access, weak passwords continue to be a leading reason behind cyberattacks.

The Verizon Data Breach Investigations Report (DBIR) in 2020 revealed that about 80% of breaches were due to weak credentials. Security experts have long stressed the importance of a strong password to prevent attacks like the Dictionary Attack.

If you are not familiar with Dictionary Attack, follow us as we explain. The dangers of using a weak password and reusing the same password on different accounts will become apparent to you.

What is a Dictionary Attack?

Most people find it difficult to keep up with the little mental exercise that comes with memorizing passwords for multiple accounts. Surely, it has only accentuated as the internet has witnessed a growth in the number of social platforms. Social platforms aside, online banking is the de-facto way of accessing personal finances, and it’s troubling that users choose a weak password or reuse a password on bank accounts.

It may come as a surprise, but passwords such as “123456” and “Password” are more common than you might think. A Dictionary Attack takes advantage of such vulnerabilities to hack into accounts. It compiles a list of words in the dictionary, including common names like country names, football player names, celebrity names, or anything associated with the pop culture that a user is likely to be influenced by.

A football fan is likely to keep the name of his favorite club or player as a password. An employee of an organization is likely to keep the name of the organization or terms associated with it as a password. By closely observing the likes of a target, a hacker can use a set of likely passwords and run every attempt to access an account.

Some users replace certain words with familiar-looking counterparts, such as replacing the alphabet “a” with “@” or writing numbers in words. But such permutations are still easily conceivable by the computer. Hence, using “P@sswordOneTwoThree” is just as easy as writing “Password123”.

Dictionary Attack vs. Brute Force Attack

A Brute Force attack is centered on trying to find a password by exhausting every possible combination. The program only succeeds when it has found the right combination. The attack is common for cracking passwords to gain access to accounts or servers. When you hear the word “hacked” in a cyberattack, it is often a brute-force attack that is made possible by a weak password that has less challenge for the attacking program.

In comparison, a dictionary attack involves a limited number of runs based on how many words the password set contains. The Oxford dictionary has about 171,476 words in it. A brute-force attack involves as much trial-and-error as presented by the length of the password. A password with a six-digit length can be cracked within seconds. Moving to a ten-digit and a twelve-digit password raises the required time to decades. As a very basic example, “abc” has about six combinations: abc, bca, cab, cba, acb, and bac.

Involving a combination of uppercase and lowercase letters, numbers, and special characters increases the complexity of cracking the password by several hundred years, even with modern computing capabilities.

A dictionary attack is much less computationally intensive because it only has to run through a set number of words. A brute-force attack does not start with such a set to match against the user’s password; it will continue inputting all possible combinations until it finds a match. This approach requires much more computing capability. The time required to brute-force into an account is directly proportional to the computing prowess of the CPU.

It is worth mentioning that brute-force is also used to break cryptographic encryption. An AES 256-bit encryption presents 1.1579208923731619542357098500869e+77 possible combinations to the key. With modern computing power, it would take billions of years to crack it. iProVPN uses the same encryption standard to secure internet communication.

How to Protect Against Dictionary Attack

  • Use Passphrases

Instead of passwords, use passphrases. A passphrase is harder to predict and unique to you. It sits outside common names and terms because it mixes randomness to which only you have the context. The FBI recommends using passphrases over passwords.

Think of a string of characters that are readable to you but make no sense. For example, “EarthTwinCompileUs” is a readable string of words but has no logic.

  • Include Combinations

You can make a password strong by including uppercase and lowercase numbers and special characters in it. As we explained, substituting “Password” with “P@ssword” is unwise and yields no effect. Choose a random string like “sfFg%354~!$%c” for the best strength. You can choose a passphrase and substitute some characters so that it’s still readable but more random. For example, “E@rthTw!nCompileU$”.

  • Enable Two-Factor Authentication

Two-factor authentication (2FA) serves as a second stage for authenticating your identity as the account’s rightful owner. It involves using something you naturally possess like a biometric or something that you own like a device. Because these two types of things are always close to you, they are useful for serving as an authentication method.

  • Don’t Reuse Passwords

Reusing the same password for multiple accounts is setting you up for the risk of Credential Stuffing. Data breaches are a persistent threat in the cyber world. Data such as user credentials stolen during a data breach can also go on sale on the Dark Web. With access to one account information, an attacker will try to input the same credentials on other websites in the hopes it will land somewhere.

  • Use Password Managers

It’s only natural to be bewildered by long and complex passwords. A password manager will save you the trouble of memorizing multiple usernames and passwords. It will store that information in a secure vault that is accessible only by you and where it is held encrypted at rest. The auto-fill feature provided by password managers saves you the trouble of navigating to the vault.


The one weak link in cybersecurity is often human. Defense against cyberthreats can only go as far as the user who is willing to follow certain practices. A strong password can foil the attempts to break into your account. As a rule of thumb, always use 2FA on every account.

Start Browsing Privately!

iProVPN encrypts your data for protection against hackers and surveillance. Unblock your favorite streaming platforms instantly with the best VPN for streaming.

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *