Dictionary attack: do not use words as passwords

John C. | December 22, 2020

A dictionary attack exploits one of the password sins: using actual words. Recent pages in history highlight account security, with passwords standing on the front line. Humans are predictable, and we adore easy patterns. Hence, users might fancy a password that immediately conveys meaning. Well-known phrases are the popular choices, and accounts end up protected by multiple, random dictionary words. Unfortunately, dictionary attacks sprint to smash such security walls and might end with hackers getting access to victims’ accounts.

What is a dictionary attack?

Similar to legendary brute force attacks, dictionary attacks perform the classic password-cracking process, but with different resources. Attackers shift their focus to words, from common expressions to rare terms. Culprits attempt to match passwords with words in official dictionaries or customized lists.

The attacks can drastically variate since hackers might not rely on words alone. It is possible to boost dictionary attacks by adding certain symbols or commonly applied patterns. Consequently, hackers can cross-check both “turtle” and “turtle123” as possible passwords. It all depends on the specific dictionary attack and the pre-set variation rules.

Dictionary attacks have a limited scope as they run through pre-selected words and phrases. Typically, attackers are confident that their targets’ passwords contain words or their slightly modified versions. Hence, their lists can feature hints about their location, preferences, and personal information.

Despite their name, dictionary attacks do not necessarily exploit the official lexicon. Instead, they can relate to sports teams, television characters, pet names, slang, etc. However, the traditional words can prove useful, as they did in the infamous Twitter hack. A young prankster hacked into an account belonging to Twitter’s support staff. Ironically, the set password was “happiness.”

How does a dictionary attack work?

Dictionary attacks do not need to reuse the same list as a universal cracking resource. They are highly customizable, and hackers can challenge each victims’ pool with a new plan. That makes the dictionary attacks flexible and potentially successful, especially if targets’ lists are relatively short. However, all attacks follow the same pattern.

  • Creating files consisting of thousands of words. Such lists can contain official dictionaries and various other resources. If criminals notice targets’ obsession with Star Trek, they can include Klingon phrases into their database. Geo-locations are anything but trivial as well. An effective strategy for hackers is to add words in victims’ native tongue. As a result, dictionary attacks can run seemingly endless checks.
  • Setting additional rules. Users might not be comfortable with using the word “administrator” as a password. Instead, they opt for “administrator123.” Hackers can set additional rules for generating different variants of potential passwords. A notable notion is that passwords combining several words are powerless to dictionary attacks, too.
  • Starting the password-cracking process. The duration of a dictionary attack depends on the computing power used. It is unlikely that the first ten tries will effectively unlock accounts. Hence, the procedure could be lengthy, primarily if criminals give more space for variation. The account lockout threshold could be a solution to this debacle. It means that a digital service allows a limited number of login attempts. After stepping over the set limit, hackers would hit a block. Such a practice is sufficient for halting similar online hacks like credential stuffing and brute force attacks.

Unfortunately, not all account takeovers happen online. Hackers could retrieve extensive lists of hashed passwords. At first glance, these combinations will not resemble common words or phrases. Cybercriminals won’t attempt to reverse the credentials as hashing locks them in a reasonably permanent state. As plan B, hackers will hash words and compare them with the retrieved passwords.

Preventing dictionary attacks

  • Do not use words or their variants as passwords. Dictionary attacks rely on users’ habits of conveying meaning with their passwords. The easiest way to evade them is to combine random letters, numbers, and symbols. If there is no common lexicon, hackers’ attempts will be powerless.
  • Password managers are a must. Words might help users remember their combinations better. However, password managers generate and store all the complicated combinations for you. As a result, there is no reason to link passwords with pet names or your favorite sports team.
  • 2FA can prevent unauthorized access. Even if a dictionary attack is successful, the story does not need to end badly. Two-factor authentication halts login attempts without external verification. Naturally, hackers will not retrieve this token, and your account will be safe.
  • Unique passwords only. What can be worse than having your account hacked? The answer is simple: losing multiple ones. Instead of relying on a single combination, be creative, and assign new ones for every account. This action will prevent the domino effect from happening across the board. Furthermore, mitigating a security breach in one source is more manageable.
  • Encrypt web traffic. Dictionary attacks will be ineffective if your password is word-free. However, hackers exploit a range of conditions and flaws. One of them is unencrypted web traffic. It means that all your online communications and passwords could travel through the internet in their original form. Atlas VPN applies heavy-duty encryption to prevent that. With the enabled VPN, you will no longer risk losing credentials due to poor Wi-Fi or website security.
John C.

John C.

Ex full-time gamer and content writer at Atlas VPN. He's eager to help his readers make their online lives safer and easier than ever before.


brute force attack2fa