Dictionary Attack: Cracking Passwords with Words

A dictionary attack is a method used by hackers to breach user accounts by systematically entering each word from a compiled list of common words and popular combinations that people often choose as their passwords. Despite advancements in security protocols and ongoing education about creating strong passwords, dictionary attacks remain a potent threat. 

As long as users continue to choose convenience over complexity in their passwords, dictionary attacks stand a chance of being successful. This article explores what dictionary attacks are and how they work in detail, outlines their differences from brute force attacks, and takes a look at some recent examples, use cases, and relevant statistics to reinforce the threat. The post concludes with some best practices for preventing successful dictionary attacks.

What is a Dictionary Attack?

>A dictionary attack is a methodical approach that exploits people’s propensity to choose passwords that are easy to remember and often composed of common words and phrases. You can think of dictionary attacks as a type of informed guessing. The process resembles skimming through an actual dictionary, but instead of random letters and numbers, attackers use a list—akin to a linguistic dictionary—that contains frequently used passwords and their variations, including those from previous breaches. 

A quick glance at the most common passwords from a sample size of 15 billion in 2023 features 123456, 123456789, qwerty, and password as the top four. This alone explains the continued success of dictionary attacks. The attacker’s script or tool methodically tests each “word” from the dictionary list against a user’s password field in an attempt to gain unauthorized access.

Dictionary attacks can be remarkably efficient, especially when attacking accounts en masse or those without protective measures like account lockouts or two-factor authentication. The simplicity and speed are hallmark features that make them attractive to cybercriminals, who tend to look for the low-hanging fruit and the fastest way to achieve their goals. 

Dictionary Attacks vs. Brute Force Attacks

Dictionary attacks and brute force attacks are two prevalent methods used by attackers to crack passwords, but it’s important not to conflate them because they aren’t the same thing. 

Dictionary attacks use a targeted method where the attacker uses a list of potential passwords whereas brute force attacks do not rely on a precompiled list of passwords but instead try every possible combination of characters until finding the right one.

Dictionary attacks are generally faster and more efficient than brute force attacks. This password attack method requires fewer resources in terms of computational power because the chosen tool or software only needs to try a limited set of possibilities that are known to be more common. Brute force attacks have the advantage in terms of being exhaustive and not highly dependent on user password choices. 

In terms of downsides, both types of attacks suffer the same fate against lengthy complex passwords, but for different reasons. Dictionary attacks don’t work when users opt for lengthy complex passwords that are exceedingly unlikely to be on any dictionary list of potential passwords. Brute force attacks have the downside of requiring significant computational power that makes them impractical for use against long, complex passwords. 

Dictionary attacks are best against systems with less stringent password selection requirements and against less security-savvy users. These attacks are also effective in a situation where there is known information about the user that could suggest possible passwords (like pet names, birthdays, etc.) Brute force attacks are for when the password is not likely to be a common word or phrase found in any dictionary list.

How Dictionary Attacks Work

Conducting a dictionary password attack involves a few structured steps—here’s a breakdown of the process:

1. Compiling a wordlist

Threat actors often start off by sourcing commonly used passwords from various places online, including public breaches, password dumps, and lists of commonly used passwords. Some savvy hackers then customize the dictionary list based on the known details about the target(s), such as interests, habits, demographics, or personal details. There are tools available like Crunch or CeWL that generate wordlists based on custom criteria, which can be very useful for creating a more targeted list.

1. Preparing the Attack

Armed with dictionary lists, the next step involves selecting a password-cracking tool capable of dictionary attacks. Popular options for these tools include John the Ripper, Hashcat, or Hydra.

Another important aspect of preparing the attack is routing traffic through proxies or a VPN to avoid detection. Some threat actors use botnets to distribute a dictionary attack across many different IP addresses. Botnets make detection and prevention more challenging for the targeted system by spreading the dictionary attack across potentially thousands of different IP addresses controlled by the hacker. 

Here’s where success or failure occurs in these attacks. Hackers set up their chosen tool with their wordlists and specify the target account or service. This step also involves setting the protocol (such as HTTP, FTP, SSH), the target’s IP address or URL, and the username to crack. 

If one of the words in the dictionary list matches the account’s password, the cracking tool will display a message indicating that the login was successful. The tool will provide the user with the credentials that worked.

Use Cases and Vulnerabilities

Dictionary attacks exploit weaknesses in password security, and successful compromises of user accounts can lead to a range of bad outcomes, including data breaches. Here are some real-world use cases that highlight why hackers might employ dictionary attacks. 

Unauthorized access to emails

Hackers may use a list of common passwords and phrases to gain access to an email account, which can then be used to reset passwords for other services, intercept confidential company communications, or deploy targeted phishing attacks by impersonating someone. While popular consumer email services like Gmail enforce strong password requirements, email accounts on email services that require admin configuration for strengthening password requirements may be more susceptible. 

Compromising online banking credentials

Online banking accounts are prime targets for dictionary attacks because gaining access can lead to immediate financial gain. Once inside, an attacker can transfer funds, collect financial information, or steal identities. While many banks now mandate two-factor authentication for logins, social engineering can get around some types of authentication, such as one-time codes. Interestingly, many online banking services allow users to set simple, easily guessable personal access codes as passwords to their accounts. 

Infiltrating corporate networks

Corporate user accounts often have access to a wealth of information and privileges. Breaking into a single user account through a dictionary attack can be a stepping stone to more extensive network infiltration. Once inside, threat actors can escalate their access privileges, install persistent threats, steal sensitive data, or initiate ransomware attacks. 

Several vulnerabilities contribute to the susceptibility of companies and people to dictionary attacks:

• A lack of enforcement of strong password policies allows users to create weak passwords that are easy to guess.
• People often reuse passwords across multiple accounts, which increases the vulnerability across different services once a hacker breaks into one account (44% of workers reuse passwords across personal and work-related accounts). 
• Many users create passwords based on personal information or common patterns, which are easily included in dictionary lists.
• Systems that do not lock out users after a certain number of failed attempts allow attackers to try many password combinations without penalty.
• Accounts that only rely on passwords for authentication without additional verification steps are highly vulnerable to dictionary attacks.

Recent Examples

A couple of recent examples shed some further light on the continued prevalence and threat of dictionary password attacks. 

QNAP

QNAP, a popular vendor of network-attached storage (NAS) devices, had to warn businesses about ransomware successfully infiltrating its products in July 2022. Internet-exposed NAS devices with the network file-sharing protocol SMB enabled were susceptible to dictionary attacks through user accounts with weak passwords. After infiltrating accounts and devices, threat actors installed a ransomware variant named Checkmate on some companies’ networks and encrypted important files. 

>Microsoft SQL server hacks

In September 2022, security researchers warned about a wave of ransomware attacks against Microsoft SQL servers, which function as database management systems for many companies. The attacks used the FARGO ransomware strain, with initial exploitation stemming from dictionary attacks and brute force attacks against user accounts on the server with weak credentials.  

The success rate of dictionary attacks really depends on which password vulnerabilities exist within a target system and the set of users on that system. With no strict password policies, users may revert to easily crackable passwords that dictionary lists can crack with not much effort. While there is no universal success rate for dictionary attacks, the recent examples show they can still be relatively successful against poorly secured accounts and systems, especially where users don’t practice good password hygiene. 

Preventing Dictionary Attacks

Here are some practical tips and strategies to bolster security defenses against potential instructions from dictionary attacks.

• Enforce a robust password policy that requires a mix of uppercase and lowercase letters, numbers, and special characters. Don’t make this an optional thing that employees can choose; mandate it for all account passwords.
• Use password managers that can generate and store many complex, long, and random passwords. These tools remove the burden on individual users to remember each unique password and minimize the risk of using simple, memorable passwords that are vulnerable to dictionary attacks. 
• Implement MFA wherever possible. Even if a password is guessed, the additional authentication factor—such as a code from an authenticator app or a fingerprint—can prevent unauthorized access.
• Implement account lockout policies that temporarily lock an account after several unsuccessful login attempts. This prevents continuous password-guessing attempts against single accounts.
  

  Conclusion

  Despite growing awareness of the importance of strong password hygiene, dictionary password attacks remain a formidable threat. These attacks exploit the persistent use and reuse of weak, predictable passwords—a vulnerability that stems from the natural human tendency to prioritize convenience over complexity in password creation. 

  Individuals and organizations alike must prioritize proactive measures like robust password security practices, multi-factor authentication, password managers, and continued education about cyber threats. 

  To fully protect accounts against dictionary attacks, consider opting for passwordless solutions. Multi-Pass by Kelvin Zero uses a biometric pass for authenticating your employees. You can replace passwords completely and avoid annoying users with clunky MFA implementations. One-tap access via a user’s unique fingerprint gives hassle-free authentication with no need for managing passwords. 

  Learn more about going passwordless.