For years, it was the most common reference book you’d want to have close at hand. Dictionaries were the perfect resource to look up words you weren’t sure how to spell or needed more clearly defined.
Autocorrect and search engines have largely replaced many of those functions, but the comprehensive nature of dictionaries continue to inspire cybercriminals. The difference is that a dictionary attack treats everyday terms as a potential password that can provide access to an organization’s critical data.
What Is a Dictionary Attack?
It’s almost ironic that most dictionaries probably don’t break down what the term ‘dictionary attack’ means. Instead, you can use this post to not only grasp the basics but how to avoid falling victim to one.
Definition of a dictionary attack
A dictionary attack is a hacking technique in which cybercriminals attempt to guess passwords by systematically using every possible commonly used word or phrase that may have been chosen to secure an application or IT system.
How dictionary attacks work
Hackers may not import an actual dictionary in order to conduct a dictionary attack. Instead, they might assemble a large list of the most likely passwords that a business or individual would select to protect systems and data.
In other cases, the list of words could come from a database of passwords that was stolen in a data breach and sold on the dark web.
Either through manual effort (or more likely via an automated program), threat actors will work through the list of possible credentials until one of them lets them log into the system or application being targeted.
Once inside, of course, cybercriminals can then build upon a dictionary attack by stealing or compromising sensitive information, injecting an organization with malware or tampering with an organization’s everyday operations.
Why are dictionary attacks used
Rogue actors are well aware that many employees are tempted to use complete words and phrases that have some personal meaning attached to them. Those details can make such passwords easy to remember, but it also helps third parties that want to guess them.
It’s not difficult to create your own dictionary of potential password terms. Just think of the names people tend to give their pets, the teams they cheer on in sports stadiums or chart-topping musical artists. Then itemize some variations and combinations of those names with terms in common parlance.
Factor in the locale of the organization you’re targeting, or the kind of terms associated with the industry in which it is operating. Generative artificial intelligence tools may make this process even easier for hackers who don’t have an existing database of stolen passwords to use.
Though technically the English language has many words, for example, only about 170,000 are in current use and the average English vocabulary is only 20,000 to 30,000 words. When you think about how many of those words could be used to create a password with a minimum of six or eight characters, the scope of possible credentials to guess becomes even smaller.
Evaluating the Purpose of Dictionary Attacks
If a dictionary attack still seems a little like a shot in the dark compared to more sophisticated cybercriminal techniques, consider the scenarios where they might easily work.
Success rates of dictionary attacks
There’s no publicly available data on how often a dictionary attack succeeds, but there are a number of reasons why they might.
If an organization doesn’t have a policy that requires strong passwords, for instance, the odds of hackers guessing them increase. It’s also easier for rouge actors to work through a word list when systems and applications don’t limit the number of login attempts a user can make.
Credentials that haven’t been changed or updated in a long time, or which get reused across multiple applications and systems, may make an organization more vulnerable to a dictionary attack.
Common targets of dictionary attacks
Cybercriminals usually aim a dictionary attack at an organization where gaining access could lead to a financial reward. This could include a bank or an online retailer, where authentication not only involves employees but consumers who may not develop very strong passwords.
If an organization has been part of a known data breach, hackers may also make use of stolen credentials they purchase from the original thieves or through a third party.
More sophisticated threat actors may even be able to disable login limits on applications and use password generators to put a dictionary attack in motion.
Differentiating Dictionary Attacks from Brute-Force Attacks
Sometimes stories about data breaches in the media make mention of a “brute force attack” as the hackers’ methodology. A dictionary attack may sound similar, but there are some specific nuances to keep in mind.
Comparison between dictionary attacks and brute-force attacks
A brute-force attack is a cybercriminal tactic whereby they will not only try out every possible term that’s used as a password, but all the variations based on numbers, symbols or other special characters.
Think of brute-force attacks as something akin to a burglar using every skeleton key they have, a knife, a sledgehammer and other tools to break down the same door. It’s not necessarily a fast process, but it’s thorough: threat actors that use brute-force attacks successfully can crack some of the longest and most difficult-to-guess passwords imaginable
Dictionary attacks are somewhat narrower in scope in that they’re limited to the word list the hackers have either assembled, stolen or bought from the dark web.
Advantages and limitations of dictionary attacks
Dictionary attacks can be faster depending on the program used to run them compared with brute-force attacks, but they also tend to work better on passwords of a reasonable length, such as eight characters.
If the target has developed a strong, unique password, meanwhile, dictionary attacks may be less effective than a brute-force attack.
When are dictionary attacks used over brute force?
The complexity of conducting a brute-force attack can require a significant amount of computing power. Unless cybercriminals have access to the necessary IT infrastructure, they may opt to try a dictionary attack instead.
Dictionary attacks might also be the preferred approach when the target is a small or medium-sized business. If an organization doesn’t have a long list of credentials providing access to systems and data – and if the users are perceived to be less savvy in how they create and manage passwords – it could make sense to guess logins from a word list.
Protecting Yourself Against Dictionary Attacks
“How can I protect my system against a dictionary attack,” you ask? The good news is there are plenty of measures to put in place. You may be following some of these approaches already:
Best practices for password security
Strong passwords should be difficult to guess. This often means creating longer passwords that are not based on everyday terms but a random mixture of letters, numbers and special characters. There should also be a mixture of upper and lower-case letters.
Most importantly, strong passwords don’t offer hidden clues or Easter eggs related to the person who created them.
It’s also important not to share your password with other people, or to use the same password on more than one application or system.
Implementing strong password policies
Organizations can establish password policies whereby credentials expire after a certain period. At that point, employees should have to generate a new password, which makes it even harder for cybercriminals who somehow gain access to the previous credentials.
Should threat actors target your organization for any reason, having IT implement a login limit can help stem dictionary attacks before they get very far. In other words, those attempting to log in will be locked out and asked to contact their admin after failing to input the correct credentials two or three times.
IT departments can also deploy technologies that send alerts after several failed login attempts or suspicious login activity. Your password policies could also include the use of authentication apps that verify employees are who they say they are when they’re logging in.
Using multi-factor authentication
Another option for a defense-in-depth strategy against dictionary attacks is to deploy multi-factor authentication (MFA) across your organization.
Instead of relying on credentials such as a password alone, MFA requires users to take an extra step, such as having a code sent to their mobile device or answering a security question.
MFA is a solid prevention tactic against dictionary attacks and many other kinds of cyber threats because rogue actors often won’t have everything they need to fully gain access to an application or device.
Preventing Dictionary Attacks With LastPass
Given dictionary attacks are usually aimed at guessing users’ passwords, empowering people with a password manager such as LastPass takes credential security to the next level.
How LastPass enhances password security
No one wants to have to put a lot of time into creating and managing their passwords, especially if they need different credentials across a host of systems and applications. That’s why LastPass has focused on combining advanced security via zero-knowledge encryption with time-saving conveniences such as autofills and storage for secure notes.
Using LastPass to generate strong and unique passwords
Instead of deliberating over the length, complexity and uniqueness of each password, for example, LastPass can instantly generate strong passwords in seconds. This avoids the common vulnerabilities associated with weak passwords and makes it easier to stay compliant with an organization’s IT security policies.
Benefits of LastPass for protecting against dictionary attacks
If there are scenarios where a password needs to be shared, LastPass lets you do so with end-to-end encryption, which reduces the risk. LastPass is also compatible across all devices, which can help in organizations that offer a hybrid work model where employees may be logging in on a system they keep at home.
Beyond that, LastPass is constantly monitoring the dark web for compromised accounts that may become subject to a dictionary attack. It’s all part of a more proactive approach to creating, using and protecting your credentials and those of your employees.
You don’t need a dictionary to define best-in-class password management: start your LastPass trial today.
