What Is Dictionary attack? Security Definition
On This Page
Quick Definition
A dictionary attack is when a hacker uses a list of common passwords to guess your login. The attacker tries each password from the list until one works. This is different from a brute force attack, which tries every possible combination of characters.
Commonly Confused With
A brute force attack tries every possible combination of characters from a defined set, like all passwords from A to ZZZZZ. A dictionary attack only tries passwords that appear on a precompiled list. Brute force is exhaustive but slow; dictionary attack is faster but limited to known patterns.
Brute force: trying every 4-digit PIN from 0000 to 9999. Dictionary attack: trying only 1234, 0000, 1111, and 4321.
Password spraying is a specific kind of attack where the attacker tries one common password, like Password1, against many different usernames. A dictionary attack usually focuses on one username and tries many passwords from the list. Password spraying is designed to evade account lockout policies.
Password spraying: trying Password1 on 1000 user accounts. Dictionary attack: trying 1000 passwords on one user account.
A rainbow table attack uses precomputed hash chains to reverse a hashed password without trying each password individually. A dictionary attack computes the hash of each word on the fly and compares it to the target hash. Rainbow tables are static and can be defeated by salting, whereas a dictionary attack can still work with salted hashes if the attacker knows the salt.
Rainbow table: looking up a hash in a big book of precomputed answers. Dictionary attack: manually calculating each guess and checking the result.
Credential stuffing is the automated injection of stolen username and password pairs from one breach into other websites. The attacker does not use a dictionary of common passwords; they use actual credentials that were previously valid. Dictionary attacks use guessed passwords, not stolen ones.
Credential stuffing: using email and password from a 2020 breach and trying it on Facebook. Dictionary attack: guessing password at the Facebook login page.
Must Know for Exams
The Dictionary attack is a staple topic in the CompTIA Security+ exam, specifically under Domain 1 (Attacks, Threats, and Vulnerabilities). In the Security+ exam objectives, dictionary attacks are explicitly listed as a type of password attack alongside brute force, spraying, and rainbow table attacks. The exam expects you to differentiate between these attack types. You might be asked a question describing a scenario where an attacker uses a file containing common passwords to guess a user password, and you must choose dictionary attack from the list.
In the exam, you are also expected to know the mitigating controls. You will see questions about password complexity, account lockout policies, multi-factor authentication, and salting of password hashes. For example, a question might say: An organization stores user passwords using a salted hash. Which of the following attacks is still effective against these passwords? The correct answer is a dictionary attack, because the attacker can still take a dictionary of common passwords, append the known salt, hash each one, and compare.
The Security+ exam also tests knowledge of online versus offline dictionary attacks. An online dictionary attack requires the attacker to repeatedly attempt authentication against a live server, which generates logs and can trigger account lockouts. An offline dictionary attack occurs when the attacker has already obtained the hash file, so there is no rate limiting. You may be asked to identify which attack is being used based on symptoms, such as a server log showing thousands of failed login attempts in a short time.
Other exams like the Certified Ethical Hacker (CEH) and Network+ at a supporting level also touch on this. In CEH, you are expected to know what tools are used for dictionary attacks, such as John the Ripper, Hashcat, and Hydra, and how to configure them. In CISSP, the concept appears under domain 3 (Security Architecture and Engineering) when discussing cryptanalytic attacks. For the Security+ exam, the key takeaway is to remember that a dictionary attack is significantly different from a brute force attack. The exam writers love to test this distinction. A brute force attack tries all possible combinations, whereas a dictionary attack tries only a curated list. Also, remember that strong passwords and account lockout policies are the primary defenses against online dictionary attacks, while salting and using bcrypt or Argon2 are defenses against offline dictionary attacks.
Simple Meaning
Imagine a thief finds a locked diary you keep in your desk. Instead of trying every single possible combination for the lock, which would take forever, the thief first tries the most common combinations people use, like 1-2-3-4, 0-0-0-0, or your birthday. That is exactly how a dictionary attack works in the digital world. An attacker gets a list of commonly used passwords, known as a dictionary file, and a piece of software that automatically feeds those passwords into a login screen one after another, very quickly.
The reason this attack is so effective is that people are predictable. Studies show that passwords like password, 123456, admin, qwerty, and welcome are used by millions of people every single day. Even when companies enforce rules like use at least eight characters or include a number, users often just turn password into Password1. The dictionary file is not a real dictionary of words from an English book. It is a huge list of every common password, every leaked password from previous data breaches, common phrases, names of sports teams, pop culture references, and simple number patterns.
The key difference between a dictionary attack and a brute force attack is the method of guessing. A brute force attack is like trying every single key in existence to open a door. A dictionary attack is like trying only the keys that look like they might fit, based on what most people use. This makes dictionary attacks much faster and less resource-intensive. If the password you choose is not in that dictionary list, the attack will fail. But if your password is predictable, your account will be compromised extremely quickly. That is why cybersecurity professionals constantly warn against using common words, pet names, or simple patterns for passwords.
Full Technical Definition
A dictionary attack is a cryptanalytic attack that leverages a precomputed set of likely passwords, often called a wordlist or dictionary file, to authenticate against a target system. The attack exploits the fact that human-generated passwords are not uniformly random. Instead, they tend to follow predictable patterns, such as using dictionary words, common phrases, keyboard patterns like qwerty, or simple mutations like adding a digit or an exclamation mark at the end.
The attack process typically begins with the attacker obtaining authentication data from the target, which can be either an online login interface or an offline hash dump. In an online dictionary attack, the attacker uses a script or a tool like Hydra or Medusa to repeatedly submit login requests to a web application, SSH server, or other network service, using each password from the wordlist. The attacker must manage rate limiting mechanisms and account lockout policies, which is why distributed or slow-and-low techniques are often employed.
In an offline dictionary attack, the attacker has already captured the password hash file, usually from a compromised database. The attacker then runs a tool like John the Ripper or Hashcat, which takes each word from the dictionary, hashes it using the same algorithm used by the target system (such as NTLM for Windows, bcrypt, SHA-256, or MD5), and compares the resulting hash to the stolen hash. If the computed hash matches the stored hash, the password has been cracked. This offline method is extremely fast because the attacker does not need to wait for network responses. Modern GPUs can compute billions of hashes per second, allowing a large dictionary to be tested in minutes.
The effectiveness of a dictionary attack depends heavily on the quality of the wordlist. The most famous wordlist is the RockYou list, which contains over 14 million plaintext passwords leaked from a 2009 data breach. Modern wordlists include common passwords, leaked passwords from multiple breaches, and rules-based mutations using tools like rules within Hashcat that automatically modify each word by capitalizing letters, adding numbers, or appending symbols. Salting, a technique where a random value is added to each password before hashing, can defend against offline dictionary attacks by making precomputed rainbow tables useless, but it does not prevent the attacker from hashing each word with the salt and testing it individually. Enterprise authentication protocols like Kerberos in Active Directory or RADIUS can also be targeted, but they typically require the attacker to be inside the network or to have already compromised a domain controller. In modern IT environments, dictionary attacks are a primary vector for credential stuffing, where attackers use username and password pairs obtained from one breach to try to log into other unrelated services.
Real-Life Example
Think about a school locker combination lock. Every locker on the floor uses the same brand of lock, and each combination is three numbers from 0 to 39. A brute force attacker would try every possible combination, all 64,000 of them, which would take hours. But a dictionary attacker is smarter. The attacker knows that most students pick combinations that are easy to remember, like their birthday month and day, the last three digits of their phone number, or the numbers 10-20-30. The attacker writes down a list of the 100 most common school locker combinations that were leaked from a nearby school last year.
Then, the attacker walks down the hallway, and at each locker, tries the numbers 15-25-35, then 1-2-3, then 1-1-1, then 12-24-36, and so on, straight down the list. It takes only a few seconds per locker because the list is short. The attacker only needs one success. When the attacker finds a locker that opens with 1-2-3, it is because the student who owns it chose the laziest possible combination. In the same way, a dictionary attacker tries only the passwords that real people actually use. The attacker does not care about the 99% of users who have strong passwords. The attacker only needs the one person who uses password or iloveyou. That is why dictionary attacks are so successful in the real world. They exploit the weakest link in any security system: human laziness. And just like you would change your locker combination if you saw someone looking at the list, any IT system should enforce strong password policies to make sure users cannot choose passwords that are in any known dictionary file.
Why This Term Matters
Dictionary attacks matter because they are one of the most common and effective ways that accounts get compromised. In the context of information security, you can spend millions of dollars on firewalls, intrusion detection systems, and encryption, but if a single user has a weak password, the entire system can be breached. Many high-profile data breaches have started with a dictionary attack on a single user account, often a low-level employee or an external vendor account with remote access. Once inside, attackers move laterally across the network, escalate privileges, and exfiltrate sensitive data.
For IT professionals, understanding dictionary attacks is crucial for designing authentication policies. You need to know why simply requiring eight characters is not enough. Attackers have dictionaries that contain all eight-character words from multiple languages, common substitutions like p@ssw0rd, and patterns like Summer2023. You must implement measures such as account lockout after a certain number of failed attempts, rate limiting on login endpoints, multi-factor authentication, and the use of password blacklists that reject any password known to be in a common dictionary file.
Another reason dictionary attacks matter is the prevalence of password reuse. When a dictionary attack succeeds on one site, the compromised credentials are often tried against other sites, a variant called credential stuffing. This means a weak password on a low-priority forum can lead to the compromise of a corporate email account or a bank account. For organizations, this is a compliance issue as well. Regulations like GDPR, HIPAA, and PCI-DSS require reasonable security measures, and a password policy that allows dictionary words is not considered reasonable. During a security audit or penetration test, testers will always attempt dictionary attacks to demonstrate the risk. If the testers crack even a single account, it represents a finding that must be remediated. Therefore, every IT certification learner must grasp not only what a dictionary attack is, but how to defend against it in real systems.
How It Appears in Exam Questions
In the Security+ exam, dictionary attack questions usually present a scenario or a short description and ask you to identify the attack type, the best defense, or the next step for an incident responder. One common pattern is the scenario question. For example: A company notices a large number of failed login attempts on their VPN from a single IP address over the span of 15 minutes. The attempts use usernames found in the company directory and common passwords. Which type of attack is occurring? The correct answer is a dictionary attack, specifically an online dictionary attack, because the attacker is using a list of common passwords against a live service.
Another question type is the configuration-based question. You might be given a password policy setting and asked which configuration would prevent dictionary attacks. The options could include setting a minimum password length of 14 characters, requiring at least one uppercase letter, enabling account lockout after 3 bad attempts, or storing passwords using a plaintext database. The correct answer is enabling account lockout, because that stops the attacker after only a few guesses. A long password alone does not prevent a dictionary attack if the password is in the common list.
Troubleshooting questions also appear. For instance: A security analyst finds that an offline hash file has been cracked, and several employee passwords are compromised. The analyst discovers that the passwords were stored using unsalted MD5 hashes. Which of the following factors made the dictionary attack successful? The answer would be the lack of salting, because salted hashes force the attacker to compute a unique hash for each password even if the dictionary word is the same.
You may also see compare-and-contrast questions. For example: Which of the following is a difference between a dictionary attack and a brute force attack? The choices might be that a dictionary attack is faster, uses a precompiled list, and is more likely to succeed against common passwords, whereas a brute force attack is slower but theoretically can crack any password. In scenario-based questions, the key is to look for clues. If the question mentions a list of common passwords or a wordlist, it is a dictionary attack. If it mentions attempting every combination, it is brute force. Also, look for references to account lockout being triggered many times, which indicates an online attack. If the attack happened after a data breach and involved a hash file, it is offline. These patterns are reliable indicators in exam questions.
Practise Dictionary attack Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a security analyst for a mid-sized company called TechFlow Inc. One morning, you receive an alert from the intrusion detection system. The alert shows that there have been over 500 failed login attempts on the company's webmail portal in the last hour. All attempts originated from a single IP address in a foreign country. The usernames being used appear to be first names, like john, jane, mike, and sarah, which match common employee names. The passwords being attempted are also common, such as welcome1, password123, qwerty, and letmein.
As you investigate the logs, you notice that none of the attempts have succeeded, but the pattern is clear. The attacker is using a list of common passwords and trying them against multiple user accounts. This is a textbook online dictionary attack. The attacker is hoping that at least one employee has chosen a weak password. The fact that the attempts are all coming from one IP address suggests a single attacker using an automated script.
You check the account lockout policy and find that it is set to 5 failed attempts before the account is locked for 30 minutes. The accounts being targeted are being locked out, which is why the attacks have not succeeded. However, you realize that the lockout policy is causing a denial of service for those users, who cannot access their email. You escalate the incident to the incident response team and recommend blocking the attacking IP address immediately. You also suggest that the company implement multi-factor authentication and update the password policy to reject common passwords. This scenario is exactly the kind of situation you might see in a Security+ performance-based question, where you are asked to identify the attack type and propose a remediation step. The key takeaway is that the dictionary attack itself did not succeed because of the lockout policy, but the resulting account lockouts are creating problems for the business.
Common Mistakes
Thinking a dictionary attack tries every possible combination of characters.
That is a brute force attack, not a dictionary attack. A dictionary attack only tests passwords that are in a precompiled list. It does not generate random combinations.
Remember: dictionary uses a list of likely passwords; brute force tries all possible passwords.
Believing that a long password always prevents a dictionary attack.
A password like 'IloveNewYork2024!' is 20 characters long, but it is still a phrase with common words and a predictable pattern. It could easily be in a dictionary file that includes common phrases and year numbers.
Length helps, but you must also avoid common words, phrases, and patterns. Use a random password or a passphrase that is not in any standard wordlist.
Thinking that salting prevents dictionary attacks entirely.
Salting prevents the use of precomputed rainbow tables, but it does not stop an offline dictionary attack. The attacker still takes each word in the dictionary, adds the salt, hashes it, and compares it to the target hash one at a time.
Salt is good, but you still need to use strong passwords that are not in any dictionary. Combine salting with a computationally expensive hashing algorithm like bcrypt.
Confusing a dictionary attack with a password spraying attack.
In a dictionary attack, one attacker tries many passwords against one account. In a password spraying attack, the attacker tries one common password against many accounts to avoid lockout. They are different strategies.
Dictionary attack: many passwords, one account. Password spraying: one password, many accounts.
Assuming that account lockout policies are a complete defense against dictionary attacks.
Account lockout limits the number of attempts per account, which slows down the attack. However, an attacker can perform a distributed attack using many IP addresses or target multiple accounts with a single password to stay under the lockout threshold.
Account lockout is a good control, but it is not perfect. Combine it with MFA, rate limiting, and threat intelligence to block malicious IP addresses.
Exam Trap — Don't Get Fooled
{"trap":"The exam question describes an attack where the attacker has a list of usernames and a list of common passwords, and attempts to log in by trying each password for each username. The student sees the word list and thinks dictionary attack. However, the attacker is trying the same password against many users first, then moving to the next password.
This is actually a password spraying attack, but students label it dictionary attack.","why_learners_choose_it":"Learners see the word common passwords and immediately think of a dictionary attack. They do not pay attention to the direction of the attack: one password across many users vs.
many passwords against one user.","how_to_avoid_it":"In the exam, read the scenario carefully. If the attacker tries the same single password against many accounts to avoid triggering lockout, it is password spraying.
If the attacker tries many passwords from a list against a single account until it locks out, it is a dictionary attack. Think of the direction of the attack."
Step-by-Step Breakdown
Obtain a Wordlist
The attacker downloads or creates a file containing thousands or millions of common passwords. This list is often sourced from previous data breaches, common password lists, and wordlists from security tools like Seclists. The quality of the wordlist is critical to the attack's success.
Target Identification
The attacker identifies the target system, such as a web login portal, VPN gateway, or an email server. For an offline attack, the attacker first obtains the password hash file through a separate data breach or SQL injection vulnerability.
Choose Attack Mode (Online or Offline)
In online mode, the attacker prepares a script that will send HTTP or SSH authentication requests to the server. In offline mode, the attacker prepares a cracking tool like Hashcat to process the hash file locally.
Launch the Attack
The automated tool begins feeding passwords from the wordlist into the authentication mechanism. For online attacks, each attempt generates a network request. For offline attacks, the tool hashes each word using the correct algorithm and compares the result to the stored hash.
Handle Rate Limiting and Lockouts
If the system has account lockout policies, the online attack must slow down or rotate through different user accounts to avoid getting blocked. The attacker might also use proxies or bots to distribute the attempts across many IP addresses.
Crack the Password
When a match is found, the attacker records the successful password. For online attacks, the attacker gains immediate access to the account. For offline attacks, the plaintext password is now known and can be used for lateral movement or credential stuffing.
Post-Exploitation
The attacker uses the compromised account to escalate privileges, move laterally, or exfiltrate data. This step is outside the dictionary attack itself but is the ultimate goal of the attacker.
Practical Mini-Lesson
In real-world IT environments, defending against dictionary attacks requires a layered approach. The first line of defense is a strong password policy. However, not all password policies are equal. A policy that only requires a minimum of 8 characters and a mix of character types is no longer sufficient because common passwords like Password1 meet that requirement. Modern best practices recommend using a password blacklist that checks potential passwords against a known dictionary of common passwords. Many enterprise identity servers, such as Microsoft Active Directory with Azure AD Password Protection, can be configured to reject passwords that match entries in a dynamic banned password list.
Another critical defense is account lockout. Setting a threshold between 3 and 5 failed attempts, combined with a lockout duration of at least 30 minutes, effectively stops automated online dictionary attacks because the attacker cannot try more than a handful of passwords per account. However, you must also consider the user experience. Too aggressive a lockout policy can lead to user frustration and a high volume of help desk calls. A smart compromise is to implement lockout only after a certain number of failures from a single IP address or geolocation, rather than locking the account globally.
For offline dictionary attacks, the focus shifts to secure password storage. Never store passwords in plaintext or with unsalted fast hashes like MD5 or SHA-1. Use a slow, salted hashing algorithm such as bcrypt, scrypt, or Argon2id. The salt ensures that two users with the same password will have different hashes, and the slowness of the algorithm makes it computationally expensive for an attacker to test even a moderate-sized dictionary. In practice, a bcrypt setup with a cost factor of 10 or higher can slow down a dictionary attack from millions of attempts per second to only a few hundred.
For professionals working on penetration testing engagements, running a dictionary attack is standard practice. Tools like Hydra are used for online attacks, and Hashcat is used for offline attacks. When conducting a test, you first gather a large wordlist, often the RockYou list combined with custom entries relevant to the organization, such as the company name, product names, and local sports teams. You then run the attack and document any credentials that are cracked. The results are used to convince management to improve password policies. It is important to know that a successful dictionary attack in a test does not mean the system is weak overall. It means that specific users need to change their passwords. The real test of security is whether the password storage is salted and slow, and whether the accounts are protected by multi-factor authentication. MFA is the ultimate defense against dictionary attacks because even if the attacker guesses the password, they still cannot access the account without the second factor.
Memory Tip
Think D-list: Dictionary attack uses a D-list of common passwords, like a scripted actor reading from a D-list script.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →CS0-003CompTIA CySA+ →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Frequently Asked Questions
Can a dictionary crack any password?
No, a dictionary attack only works if the password is present in the attacker's wordlist. If the password is a random string of characters not found anywhere in the list, the attack will fail. This is why random passwords are much stronger than phrases.
What is the difference between online and offline dictionary attack?
An online dictionary attack happens in real time against a live server, like a website login page. An offline dictionary attack happens after the attacker has obtained a file of password hashes and can crack them locally without any server interaction. Offline attacks are much faster because there is no network delay or rate limiting.
Does multi-factor authentication stop dictionary attacks?
Yes, effectively. Even if the attacker successfully guesses the password, they still need the second factor, such as a code from a phone or a fingerprint. MFA is the single most effective defense against all password-based attacks, including dictionary attacks.
What is a salted dictionary attack?
A salted dictionary attack is an offline attack where the attacker knows the salt value (often stored with the hash). The attacker takes each word from the dictionary, appends or prepends the salt, hashes it, and compares it to the stored hash. Salting does not prevent the attack, but it makes it slower and removes the possibility of using precomputed tables.
What is a rules-based dictionary attack?
A rules-based attack uses a set of rules to modify each word in the dictionary before testing. For example, a rule might add 2024 at the end, capitalize the first letter, or replace e with 3. This allows a smaller wordlist to generate many more candidate passwords that match real human patterns.
How long does a dictionary attack take?
It depends on the size of the dictionary and the speed of the attack. An online attack might take minutes to hours if the server is slow. An offline attack with Hashcat on a modern GPU can test over 100 billion hashes per second for fast algorithms like NTLM, meaning a list of 10 million passwords could be checked in a fraction of a second.
Summary
A dictionary attack is a type of password attack that uses a precompiled list of common passwords to gain unauthorized access to a system. It is one of the most fundamental concepts in IT security and a frequently tested topic in the CompTIA Security+ exam. The attack works because humans are predictable: most users choose passwords that are easy to remember, which are also easy for attackers to guess. Understanding the distinction between a dictionary attack and other password attacks, such as brute force, password spraying, and rainbow tables, is crucial for any aspiring cybersecurity professional.
The primary defense against online dictionary attacks is a combination of strong password policies that reject common passwords, account lockout mechanisms, and especially multi-factor authentication. For offline attacks, the key is to use slow, salted hashing algorithms like bcrypt or Argon2, which make it computationally expensive for the attacker to test even a moderate-sized wordlist. In the Security+ exam, you will be expected to recognize dictionary attack scenarios, know the appropriate mitigation strategies, and differentiate it from similar attack types using clues in the scenario description.
As a final takeaway, always remember that a dictionary attack is only as good as its wordlist. If your password is not in the list, you are safe from that specific attack. But because many users still pick weak passwords, this attack remains a real and persistent threat in every organization. As an IT professional, your job is to enforce policies and deploy technologies that make dictionary attacks ineffective. That knowledge is not just for passing an exam. It is fundamental to protecting real systems and real people's data.