A dictionary attack is a means for a hacker to illegally access a computer by trying out various combinations of words and phrases to crack passwords. Hackers take into account the most commonly used passwords such as birthdays, anniversaries, and the like to execute a dictionary attack.

When writing, you often use a dictionary to choose the right word to describe something. In a dictionary attack, a hacker uses a so-called “word list,” much like a writer would a dictionary. The word list contains a hashed or encrypted list of words that can match a user’s password when decrypted.

Other interesting terms…

Read More about a “Dictionary Attack”

Hackers will do anything to get into a victim’s account. And dictionary attacks are one way they do so. 

How Does a Dictionary Attack Work?

Compared with a brute force attack, which entails repeatedly logging in to a victim’s account by randomly guessing username-password combinations, dictionary attacks require more tech-savvy.

Dictionary attacks start with the hacker gaining access to the target’s password database. Unlike brute force attacks where perpetrators zoom in on a single user, dictionary attacks crack the encryption on a password database to gain access to all of a service’s or a network’s user accounts.

Here’s a video showing how dictionary attacks work.

Who Are the Common Dictionary Attack Victims?

Dictionary attacks can target almost anyone although hackers typically go after large organizations that store thousands or even millions of user accounts such as:

  1. Financial service providers: Hackers go where the money is. By targeting banks, insurance companies, and other financial institutions, cyberattackers can easily hack into their user accounts to steal payment card details and transfer money from targets’ accounts to theirs.
  2. Healthcare organizations: Hackers typically launch dictionary attacks against hospitals and healthcare facilities to gain access to sensitive medical information. They sell these in the Dark Web or use the patients’ credentials to buy prescription drugs.
  3. Home networks: The ubiquity of the Internet of Things (IoT) is not lost on hackers. These days, a lot of attackers launch dictionary attacks to gain entry into less-protected home networks for use in theft or to turn IoT devices into bots for distributed denial-of-service (DDoS) attacks.

How Can You Prevent a Dictionary Attack?

We listed down ways to protect against dictionary attacks below.

  1. Activate your server’s delayed response feature: Doing so would prevent hackers from continuously inputting username-password combinations until they guess the correct one.
  2. Lock user accounts: Lock user accounts after multiple unsuccessful attempts. Many companies automatically lock an account after a user enters three wrong passwords.
  3. Employ password expiration: By requiring users to update their passwords after a month, you can mitigate dictionary attacks. Ideally, corporate accounts should require employees to change their passwords every three months. As an additional layer of security, they also aren’t allowed to reuse passwords.
  4. Strengthen password nomination requirements: One of the most effective ways to stop dictionary attacks is increasing the complexity of passwords. Ideally, passwords should be a combination of symbols, special characters, numbers, and lowercase and uppercase letters. Increasing password length to eight characters can also help.
  5. Limit account access: By restricting access to only allowed hosts or IP addresses, you can ensure that only authorized computers would gain access to your server.
  6. Disable root login: For remote connections, root login (i.e., method of logging in that allows users to gain access to all systems with just one set of credentials) is a common entry point for brute force and dictionary attacks. Disabling it can help reduce risks.


Dictionary attacks would not work for systems that use multiple-word and complex passwords that use random permutations of letters and numerals, so make sure to make these part of your password requirements.