What is a dictionary attack?
A dictionary attack is a type of brute-force cyber attack where hackers use a predefined list of words to crack your password. Some dictionary attacks try commonly used passwords, phrases, or combinations, while others check the whole dictionary.
According to research by NordPass, “123456”, “qwerty”, “iloveyou”, password”, and “admin” are among the most common passwords, shared by millions of users around the world. If you’re reading this and your password is (or resembles) one of these combinations, change it immediately. Otherwise, hackers can crack it in a snap.
Many services prevent users from using simple words as their passwords and ask to include special characters, numbers, and uppercase letters. But even though “Password123!” technically matches these criteria, it can’t be considered a strong password, and any dictionary attack would crack it.
How a dictionary attack is conducted
People often use the names of their children, pets, celebrities, or favorite sports teams as their passwords. Since we provide most of this information on social media, hackers can launch a dictionary attack on you after inspecting your Facebook profile.
If you’re a Harry Potter fan, perpetrators can scan websites dedicated to the fantasy saga and extract all the related words. This way, places and names such as Hogwarts, Gryffindor, or Dobby might end up on the list in their password-cracking software.
Hackers often use advanced software that can crack more complex combinations by creating different character variations and checking if they match your password. So, a passwords like ##Hogw@rts111 is not that difficult to crack either.
It would take milliseconds for such software to crack simple passwords like 111111, and under 30 minutes to guess something like ##Hogw@rts111. There are even free tools that allow you to break passwords and import hashes of various formats.
What is the difference between brute-force and dictionary attacks?
A brute-force attack and a dictionary attack are both designed to guess your password, but the methods they use are different. While a dictionary attack makes use of a prearranged list of words, a brute-force attack tries every possible combination of letters, special symbols, and numbers. It can guess a six-character password in one hour. If your password is long and complex, it will take days or even years to crack it.
A brute-force attack doesn’t necessarily try every possible character. Password-cracking software can be programmed to start with more likely options. If there is a requirement to use an uppercase letter in the password, most people will use it in the first character. Knowing this, hackers can set the program to start with a capital letter as the first character. A brute-force attack takes longer to crack a password than a dictionary attack does and heavily relies on computing power.
Online vs offline attacks
Brute-force and dictionary attacks can be conducted both online and offline. When hackers try to break your password online, they connect to the system they’re attacking. However, the number of guesses might be limited, and the victim is likely to discover that someone is trying to break in.
Offline attacks are more dangerous, as hackers already have a database with stolen encrypted passwords. They can take their time to crack them, which often makes offline attacks more successful.
How to prevent a dictionary attack
- Use strong passwords. The longer your password, the better. Anything under 12 characters can’t be considered a strong password. We recommend using special characters and numbers along with upper- and lowercase letters in a random order. Naturally, it is hard to remember such passwords, but a password manager like NordPass will take care of it.
- Change your passwords regularly. If the last time you updated your email or social media password was 10 years ago, you’re playing with fire. Chances are your password has been stolen and now resides in some database on the dark web. You should change your passwords at least every couple of months.
- Don’t use the same password for all your accounts. If you use the same password for all your accounts, hackers need to crack only one to get access to the rest of the services you use. Each password has to be unique. Otherwise, your digital identity might be destroyed.
- Don’t overshare on social media. Hackers do their research before conducting a dictionary attack. If information about your favorite movies, sports teams, and even the name of your dog can be easily extracted from your profile, perpetrators can use this knowledge to their advantage. If you can’t live without social media, at least make sure your profile is private.
- Use a VPN. A virtual private network encrypts your traffic, thus mitigating the risk of being hacked and snooped on. NordVPN’s Threat Protection feature blocks ads and annoying pop-ups, which are a common way to distribute malware. Hackers can design programs to track your keyboard activity and steal your passwords, but Threat Protection scans downloads for malware and blocks sites known to spread malicious software, lowering the likelihood of infection.