Skip to main content

Home Dictionary attack

Dictionary attack

Dictionary attack definition

A dictionary attack is a cyberattack during which an attacker uses an automated tool and a list of words to try and guess a password. “Dictionary” refers to the use of standard words that can be found in a dictionary or a pre-prepared list of the most popular passwords and their variations. Attackers use these lists instead of brute forcing their way in because of the high chance of success.

Cybercriminals create their “dictionary” from these sources:

  • Commonly used passwords. Hackers keep lists of well-known, commonly used passwords (like “password” “admin,” “123456,” or “qwerty”) and use databases from recent breaches to constantly update them.
  • Simple words and predictable variations. From lists of leaked passwords, attackers can determine that people are likely to use an ordinary word and add “1” or “123” at the end or capitalize only the first letter. They can use tools to automatically add these variations to the most common words in any particular language and get a list of likely passwords.
  • Information gathered via phishing or stalking. Hackers may research their target’s social media accounts to learn their addresses, pet and kids’ names and birth dates, or favorite holiday destinations. Then they’ll test entries like “Taylor2016,” “MrMittens,” and other phrases related to favorite sports teams, cities, or performers.

Preventing dictionary attacks

  • Use the NordPass password manager to generate and store strong passwords.
  • Don’t use ordinary words. Use a sequence of random numbers, special characters, and upper- and lowercase letters. Avoid conventional formats such as starting with a capital letter and ending with a number.
  • Don’t reuse passwords. The chances that at least one of your accounts was hacked at some point are very high. Some experts estimate that only 20% of data breaches ever get discovered.
  • Change your passwords regularly. Hacked passwords are widely available on the dark web, and it's just a matter of time before someone decides to use them.

Watch it explained: Dictionary attack