Skip main navigation

What is a dictionary attack and how does it work?

In this article, we will cover dictionary attacks. What are dictionary attacks, how do they work, and when is it best to use them?
An image of a bookshelf full of dictionaries in various languages.

What is a dictionary attack?

A dictionary attack is simple in theory. It is based on a simple assumption: users don’t want to or cannot memorize long, random sequences of characters, and therefore they pick existing words, typically from an existing language.

You can, therefore, take a dictionary or a word list and hash them. When the hash matches with the password you’re trying to break, you have found the password.

A typical dictionary attack scenario

In a typical dictionary attack scenario, you will have a list of words. Those words can be from the English language (you could literally use the Oxford Dictionary and try every word), or they can be a more nuanced and optimized list of passwords, as we will see in some examples later on. In a dictionary attack, you’ll be hashing every word.

So, this could take longer or shorter, depending on the number of words that you’re using.

Dictionary attacks are best for scenarios when you are dealing with passwords that are most likely single words or based on words.

Customisation

Typically, you will use this type of attack if you know that you’ll be cracking longer words instead of random passwords. You can customize which words to use, add rules to them, and even modify words according to a pattern before hashing them.

For example, you can add numbers or replace characters with numbers and symbols that resemble the original letters — e.g. “p@s$w0rd” instead of “password”.

Yes, they could use password managers. We will see in a later section that these will not solve all your problems. However, users are able to memorize words, words with modifications, and so on.

Word lists

Your customization also depends on your word list. If you have a word list, like rockyou.txt, that stores the most common passwords, this could be useful even for passwords that don’t exactly resemble one word with modifications. But most likely, you will not have random sequences in your word list.

Unless you explicitly create these for the list, you won’t be able to break these kinds of passwords. It is also difficult to deal with multi-word passwords if you do not use the coding rules. And even if you do, it takes more time to break them.

Dictionary attacks compared to brute force attacks

Let’s consider a quick comparison with brute force attacks to give you some context. Brute force attacks are best used for short, random passwords, while dictionary attacks are better tools to crack longer passwords based on real words or whatever words your dictionary has.

Dictionary attacks are a bit harder to set up than brute force attacks, but they are still not too hard.

This article is from the free online

Advanced Cyber Security Training: Hands-On Password Attacks

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education