A dictionary attack is a method of cracking passwords where the attacker uses a dictionary (a list of commonly used words, phrases and passwords). Unlike a brute-force attack, which systematically tries every possible combination, a dictionary attack only tries realistic passwords. This makes the attack much more efficient and faster, as the attacker focuses on passwords that people actually use.
The attacker uses lists of millions of real passwords from data breaches plus commonly used words and phrases.
Software auto-replaces characters (a→@, e→3) and appends typical suffixes: "password" becomes "P@ssw0rd1!".
Each entry in the list is systematically tested against the target account or encrypted file.
"password123", "summer2024" or "Max123456" – such passwords are cracked in milliseconds.
Instead of testing all possible character combinations, only realistic candidates are checked – much faster.
Stolen password lists from hacks (e.g. RockYou, LinkedIn) contain billions of real passwords used as input.
Example 1 – Email account attack: An attacker tries
to gain access to your Gmail account. They use a dictionary of common
passwords such as "password123", "letmein", "hello123" and tries them
one after another. If your password is one of these common ones, the
attack succeeds quickly.
Example 2 – Online banking attack: An attacker tries
to access bank accounts using known usernames. With a dictionary of
common passwords they can quickly check multiple accounts without
having to try every possible password.
Example 3 – Cracking a WiFi password: An attacker
tries to access a private WiFi network. With a dictionary of common
WiFi passwords and their variations they can break into the network
faster.
If your password is cracked by a dictionary attack, attackers can: access your account and steal personal data, misuse your identity and carry out fraudulent transactions, exploit your contacts for further phishing or social engineering attacks, infect your devices with malware or damage the system, misuse you for further attacks on other systems.
1. Use strong and unique passwords: Choose passwords
that are not found in dictionaries. Combine uppercase, lowercase,
numbers and special characters. Avoid simple words, names or dates
such as birthdays.
2. At least 12 characters: The longer your password,
the more difficult it becomes for dictionary attacks. Use passwords
with at least 12 characters.
3. Avoid personal information: Do not use names of
family members, pets or birth dates as a password basis. This
information can be easily found out.
4. Use a password manager: A password manager
generates random, strong passwords and manages them securely, without
you needing to remember complex passwords.
5. Enable two-factor authentication: Even if your
password is cracked, two-factor authentication protects your account
by requiring a second authentication factor.
Check whether your password appears in a typical attack list – and watch the attack live.