Home Features Everything You Need to Know About Dictionary Attacks

Everything You Need to Know About Dictionary Attacks

Users’ poor password practices result in a rise in dictionary attacks.

User Verification Policy, zero trust approach

Cybercriminals leverage several ways to illicitly obtain users’ login credentials and break into their systems. At the same time, poor password practices of users like reusing old passwords or using weak passwords make a hacker’s job easy. Despite continuous advice on the importance of keeping strong login credentials, most users end up having the same passwords for multiple accounts.

 By Rudra Srinivas, Senior Feature Writer, CISO MAG

As per the 2021 Credential Exposure Report, over 60% of the credentials were reused across multiple accounts, making it easy for an attacker to misuse one stolen password to hijack other accounts. It was found that most users are not creating a new password after expiry, rather using the old one with minute changes. The most common password found was “123456,” followed by “123456789” and “12345678.” “Password” and “111111” showed up more than 1.2 million times each.

This kind of poor password hygiene allows hackers to easily compromise users’ credentials by leveraging password guessing techniques through brute force attacks or dictionary attacks.

What is a Dictionary Attack?

A dictionary attack is a trial-and-error tactic used by attackers to decode passwords, passcodes, and other forms of login credentials by leveraging automated software tools.  In dictionary attacks, cybercriminals use a predefined dictionary list of possible combinations of passwords/passphrases, or stolen credentials from previous data breaches, to crack victims’ passwords. Hackers often exploit commonly used passwords like 123456, qwerty, password, and admin, which are rated as the most frequently used passwords by millions of users globally. It would hardly take seconds for an attacker to crack such passwords.

How does a Dictionary attack work?

Cybercriminals do their research before launching a dictionary attack. Users often use easy-to-remember passwords/passphrases involving names of their children, favorite celebrities, hobbies, etc. Unfortunately, users also share this information on social media platforms, allowing hackers to snoop into users’ interests and prepare a possible combination of passwords list. Hackers use advanced password-cracking software to crack possible combinations by generating various character alterations to match the victim’s password.

How to prevent Dictionary Attacks

  • Enable the automatic lock-account feature to avoid multiple intrusions from threat actors.
  • Use two-factor or multi-factor authentication for all your online accounts.
  • Keep long and strong passwords with special characters. For example, a password like “Password1” can be easily cracked, but one like “[email protected]$$$word” is not so easy to guess.
  • Change your passwords regularly and never reuse them.
  • Don’t overshare your interests on social media platforms.
  • Use different passwords for different accounts.


Though a dictionary attack may be a serious security threat, it is powerless when people use strong passwords in the first place. Remember, our poor password hygiene would be a hacker’s greatest advantage. So, if your password is easy-to-guess, change it ASAP before any attacker cracks it in a snap!

Related Story: 6 Practices to Strengthen Your Password Hygiene

About the Author

Rudra Srinivas is a Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.