What is a dictionary attack? And how you can easily stop them

Dictionary attack definition

A dictionary attack is a brute-force technique where attackers run through common words and phrases, such as those from a dictionary, to guess passwords. The fact people often use simple, easy-to-remember passwords across multiple accounts means dictionary attacks can be successful while requiring fewer resources to execute.

“A dictionary attack is a type of brute-force attack, but it uses a predefined list of passwords that would have a higher probability of success,” says Deral Heiland, IoT research lead, Rapid7. “This dictionary list could contain things such as regional sports teams names, team member names, names related to the organization being attacked, commonly used passwords often containing ‘spring,’ ‘summer,’ ‘winter’ and ‘autumn’ and variations of all those modified to meet password requirements.”

What’s the difference between dictionary and brute-force attacks?

Where traditional brute-force attacks try every possible combination systematically to break through authentication controls, dictionary attacks uses a large but limited number of pre-selected words and phrases. Not going through every possible combination reduces the likelihood that a difficult password will be guessed correctly, but a dictionary attack requires less time and resources to execute.

“A password dictionary list is typically built specifically for the target under attack,” says Heiland. “For example, if the targeted organization was called London Widgets located in London, then the predefined target list would contain variations of words potentially related to the organization under attack and London area or regional subject matter such as ‘Westminster,’ ‘ChelseaFC1990,’ ‘SouthBank2020’ or ‘CityOfLondon2020,’”

Many tools used for dictionary attacks include common passwords taken from security breaches leaked online and common variants of certain words and phrases, such as substituting ‘a’ with ‘@’ or adding numbers to the end of passwords.

What threat actors do once they have access to an account depends on their intended goal and how much access that account can provide, but could include stealing personal data, payment information, or intellectual property, or conducting further attacks on an organization. “The end game is to breach the organization, escalate rights and move laterally to eventually compromise critical information such as personally identifiable information (PII) and financial data,” says Heiland.

How successful are dictionary attacks?

The fact that people often reuse passwords, vary preferred passwords slightly, and don’t change them in the wake of breaches means this type of attack can be easy to execute and likely to succeed given enough time and attempts. The 2019 Verizon Data Breach Investigations Report (DBIR) suggests that stolen and reused credentials are implicated in 80% of hacking-related breaches.

‘Password,’ ‘12345,’ and ‘QWERTY’ have remained at the top of leaked password lists for years, showing that despite being repeatedly told, people are happy to continually use poor passwords that attackers can easily guess. Keyboard runs, common names, animals and simple phrases such as ‘iloveyou’ and ‘letmein’ also regularly appear on such lists. The UK’s National Cyber Security Centre (NCSC) recently put out a blog asking football fans not to use their favorite teams as passwords because team names often appear password lists.

According to the Balbix State of Password Use Report 2020, around 99% of users reuse passwords, and the average user has around eight passwords shared between accounts, both between work and personal accounts and within various internal company accounts. Security.org’s Online Password Strategies survey found that nearly 70% of people tweak existing passwords when creating new ones. The 2019 State of Password and Authentication Security Behaviors Report from Yubico and Ponemon found 69% of people share passwords with others in the workplace. It also found just over half don’t change their password behavior after an incident.

“I know from personal experience while conducting paid security assessments that I have compromised hundreds of businesses using [dictionary attacks],” says Heiland.

How to defend against dictionary attacks

Given that dictionary attacks rely on words commonly used as passwords, a strong defense against them is a good password policy. Encourage users to create unique passwords — ideally a combination of random words with symbols and numbers — not to reuse or share them, and ensure they are changed if there is a compromise. Password managers provide a more automated way to keep strong passwords without requiring users to remember them.

“One of the best methods for reducing the success of this style of attack is to train people to move away from short passwords and start using passphrases,” advises Heiland. “Passphrases are often easy to remember and virtually impossible to guess. For example, picking a passphrase such as ‘I want to play cricket for England’ and then randomly alter it with uppercase, numbers or special characters: ‘! want TO Play cr1cket 4 Engl4nd$,’”

“Another added improvement I often recommend is to make sure usernames do not match the email address syntax,”Heiland says.

Other mitigation controls include:

• Set up multi-factor authentication where possible.
• Use biometrics in lieu of passwords.
• Limit the number of attempts allowed within a given period of time.
• Force account resets after a certain number of failed attempts.
• Rate-limit the speed of password acceptance to increase the time and resources needed for attackers to guess the password.
• Include Captchas to prevent automated log-in attempts.
• Ensure passwords are encrypted so they are less likely to be leaked.
• Restrict common words or passwords from being used. The NCSC publishes a list of common passwords that shouldn’t be allowed.