Dictionary Attacks Definition

Howard Poston
Aug 08, 2023
Dictionary Attacks Definition

What is a Dictionary Attack?

A dictionary attack is an attack designed to guess a weak or reused password. The attacker has a list of potential passwords — dictionary words, breached passwords, etc. — that they use to attempt to gain access to a user’s account.

Why are Dictionary Attacks Effective?

Dictionary attacks take advantage of the fact that most people have weak or reused passwords. Dictionary words are common choices, and passwords such as Password, 12345, and qwerty often appear at the top of the lists of the most common passwords.

This decision to use common words for passwords makes them easier to remember; however, it also makes them easier to guess. Dictionary attacks are a common tactic when attempting to crack a password because the attacker has a high probability that at least one account will have an easily guessable password.

How Do Dictionary Attacks Work?

Dictionary attacks can be performed either online or offline. In an online attack, the attacker will try different passwords on a login page. If the password hashes for a site are exposed in a data breach, an attacker can perform an offline attack in which they try to determine if different passwords create a hash that matches the password hash for a user’s account.

In both types of attacks, the attacker will work their way through each word in their password dictionary. These attacks are easily automated, so — in an offline attack — a computer can try every word in the English language in a matter of seconds.
Due to password complexity requirements, most passwords aren’t just a dictionary word; they also include some capitals, letters, and symbols. Cybercriminals know this, and the dictionary attack programs will try different variations on each potential password. While this slows down the attack slightly, the difference is negligible and provides little additional security.

If an attacker is targeting a particular user or website, they might tailor their password dictionary to the target. For example, an attacker may include names of family, friends, and pets in a password list. Alternatively, they could incorporate or prioritize words associated with the site, such as team names for a sports-related site. This improves their chances of success if the password isn’t an actual dictionary word.

In the event that a dictionary attack fails for an account, the attacker has a few options. They could move on to try to crack another, easier password. Alternatively, they could move on to a brute-force password search or look for another way to learn the password (such as a phishing attack).


Dictionary attacks attempt to guess passwords that are based on common words or phrases. Protecting against a dictionary attack is as simple as using a strong password.

Enabling multi-factor authentication (MFA) provides additional protection against password guessing and similar attacks by forcing the attacker to gain access to multiple authentication factors. For even greater security, organizations can implement passwordless authentication using biometrics, which protects against phishing attacks as well as attacks that take advantage of weak passwords.

Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant.

Glossary Terms

Stay up to date with the most recent #infosec topics

Trending Topics

Interested In
Next-Gen MFA?

Discover Multi-Pass enterprise passwordless authentication

Share the page: