Webster’s International Dictionary includes 476,000 entries. You probably haven’t heard most of these words, as an average person uses only about 20,000-30,000 for communication. However, hackers can check every word in a dictionary to see if you use it as your password. With special password-cracking software, they can conduct a so-called dictionary attack, steal your credentials, and leave you penniless.
A dictionary attack is a type of brute-force cyber attack where hackers use a predefined list of words to crack your password. Some dictionary attacks try commonly used passwords, phrases, or combinations, while others check the whole dictionary.
“123456”, “qwerty”, “iloveyou”, password”, and “admin” are among the most common passwords, shared by millions of users around the world. If you’re reading this and your password is (or resembles) one of these combinations, change it immediately. Otherwise, hackers can crack it in a snap.
Many services prevent users from using simple words as their passwords and ask to include special characters, numbers, and uppercase letters. But even though “Password123!” technically matches these criteria, it can’t be considered a strong password, and any dictionary attack would crack it.
People often use the names of their children, pets, celebrities, or favorite sports teams as their passwords. Since we provide most of this information on social media, hackers can launch a dictionary attack on you after inspecting your Facebook profile.
If you’re a Harry Potter fan, perpetrators can scan websites dedicated to the fantasy saga and extract all the related words. This way, places and names such as Hogwarts, Gryffindor, or Dobby might end up on the list in their password-cracking software.
Hackers often use advanced software that can crack more complex combinations by creating different character variations and checking if they match your password. So, a passwords like ##Hogw@rts111 is not that difficult to crack either.
It would take milliseconds for such software to crack simple passwords like 111111, and under 30 minutes to guess something like ##Hogw@rts111. There are even free tools that allow you to break passwords and import hashes of various formats.
A brute-force attack and a dictionary attack are both designed to guess your password, but the methods they use are different. While a dictionary attack makes use of a prearranged list of words, a brute-force attack tries every possible combination of letters, special symbols, and numbers. It can guess a six-character password in one hour. If your password is long and complex, it will take days or even years to crack it.
A brute-force attack doesn’t necessarily try every possible character. Password-cracking software can be programmed to start with more likely options. If there is a requirement to use an uppercase letter in the password, most people will use it in the first character. Knowing this, hackers can set the program to start with a capital letter as the first character. A brute-force attack takes longer to crack a password than a dictionary attack does and heavily relies on computing power.
Brute-force and dictionary attacks can be conducted both online and offline. When hackers try to break your password online, they connect to the system they’re attacking. However, the number of guesses might be limited, and the victim is likely to discover that someone is trying to break in.
Offline attacks are more dangerous, as hackers already have a database with stolen encrypted passwords. They can take their time to crack them, which often makes offline attacks more successful.