A dictionary attack is a method used by threat actors to gain unauthorized access to a system or account by entering every word from an already existing list of possible passwords in a systematic manner.
Unlike brute-force attacks that try every possible combination of characters, dictionary attacks work by assuming that many users choose weak passwords that are easily found in common dictionaries or lists of previously breached passwords.
This method of password attack is often automated, accelerated with the help of high-end computing power, and can be highly effective against accounts with weak passwords.
A dictionary attack works by systematically inputting every word from a premade list of potential passwords, known as a dictionary, into a system or application's password field. This list usually includes commonly used passwords, words from the dictionary, phrases, and other minor variations.
The attack begins by entering these words one after the other by utilizing a combination of heavy computing power and automated software or a script that rapidly tests each entry against the password field. This process continues until a correct password match is found or the entire list has been exhausted.
Unlike brute-force attacks that systematically try all possible combination of characters, dictionary attacks are found to be more successful as they exploit the likelihood that many users choose weak passwords, which are easily found in such lists.
To understand online dictionary attacks, imagine the below mentioned scenario.
You’re trying to unlock a safe with a combination lock that has a large number of possible combinations. You stand in front of the safe and try each combination one by one, entering them manually to see if they work. Each attempt is made in realtime, and if you try too many combinations too quickly, the safe might lock you out or alert someone that there's suspicious activity. This is what happens in an online dictionary attack.
Online dictionary attacks involve an attacker attempting to gain access to a system by systematically entering every word in a predefined list of likely passwords (called a dictionary) into a login interface. These attacks are conducted in real-time against a live target, such as a web login form or an authentication server. In an online dictionary attack, the attacker interacts directly with the target system. Preventive measures such as account lockouts or CAPTCHA challenges to limit the number of login attempts makeonline dictionary attacks less effective.
To understand offline dictionary attacks, imagine the below mentioned scenario.
You’ve stolen a list of combinations that open the safe. Instead of trying each combination at the actual safe, you take the list to a secure room where you have access to a duplicate of the safe’s lock mechanism. In this controlled environment, you can try each combination as many times as you want, much faster and without any immediate consequences or restrictions. This is what happens in an offline dictionary attack.
Offline dictionary attacks occur when an attacker gains access to a list of hashed passwords (usually from a leaked database file found on dark web forums) and attempts to crack them by hashing words from the dictionary and comparing them to the stolen hashes.The attacker uses pre-calculated data, such as a leaked database of hashed passwords, and does not interact with the target system during the attack.Theseattacks can be highly efficient, leveraging high-end processing power and software to test many potential passwords quickly.Because there is no real-time interaction with the target system, these attacks are much harder to detect.
| Dictionary attack | Brute-force attack |
|---|---|
| Method of gaining access | |
| By using a premade list of potential passwords | By trying all possible combination of characters |
| Speed | |
| Faster | Slower |
| Success rate | |
| Higher success rate if the password is a weak one and may not work if the password is complex | Can crack any password if sufficient time is given |
| Resources required for execution | |
| Requires lesser computing power and time | Requires greater computing power and time |
| Dictionary attack | Rainbow table attack |
|---|---|
| Method of gaining access | |
| By using a premade list of potential passwords | By using a premade list of password hash values |
| Speed | |
| Faster | Slower |
| Success rate | |
| Higher success rate if the password is a weak one and may not work if the password is complex | Higher success rate if the password is a weak oneRequires significant time to crack a stronger password and, even in that case, the success rate is ambiguous |
| Resources required for execution | |
| Requires less computing power and time | Requires greater computing power and time for creating the table,however, it is significantly less during the execution |
ManageEngine ADSelfService Plus offers adaptive MFA with 20 different authentication factors, helping you keep dictionary attacks at bay. MFA can be deployed to enhance security across a variety of applications and systems, whether on-premises or in the cloud. Additionally, the Password Policy Enforcer allows administrators to set standards that enforce rules regarding special characters, length limits, character repetition, and patterns. You can even upload a password dictionary and block users from choosing a password that is present in the dictionary. This promotes a more resilient line of defense. And the best part? The breached password protection feature prevents your users from choosing weak or previously compromised passwords.
Adobe Systems was infiltrated on October 2013 using a dictionary attack. Attackers used simple passwords like 123456 and password to steal the sensitive data of around 150 million users.
The reason dictionary attacks are successful even in large-scale organizations is due to the weakest link in any organization—the user. Users mostly create passwords that are simple and easy to remember, or they may even use the same passwords across multiple accounts due to password fatigue.
The best way to prevent a dictionary attack is to implement MFA or use a strong password that is a minimum of 12 characters long. Use a combination of uppercase, lowercase, numbers, and special characters to make your password as strong as possible.
Some passwords that one can commonly find across all word lists used in a dictionary attack are:
