What is a dictionary attack?

Representational image of a hacker
(Image credit: Shutterstock)

It’s pretty clear that cybercriminals are willing to go to some extreme lengths in order to hack accounts and gain access to sensitive data, but you might not have heard of a dictionary attack.

You should be aware of this method, though, especially if you want to keep your accounts secure – and especially if you’re worried about the password security that your family and friends use.

In essence, a dictionary attack is a type of brute force attack, but it uses recognizable words rather than strings of random letters, numbers and symbols. And when many inexperienced tech users create passwords that use proper words, that can cause big problems.

We’ve explained dictionary attacks here, highlighted how they differ from other hacking techniques, and delved into the best methods for preventing these nefarious attacks. And if you’d like even more security advice, head to our explainer on endpoint protection and antivirus – or explore the best plagiarism-checking tools.


Reader Offer: Save 55% on NordPass Premium

Reader Offer: Save 55% on NordPass Premium
NordPass provides an accessible, competent, easy-to-use solution that most people will love, according to TechRadar editors. Save 55% on NordPass Premium plus 3 months free.

Preferred partner (What does this mean?

What’s a dictionary attack?

It might sound like the kind of thing that happens during an argument at a library, but a dictionary attack is actually a sophisticated method used by cybercriminals who want to gain access to your email accounts, bank details and social networks.

To understand a dictionary attack, though, you’ve got to get to grips with another kind of hacking method – the brute force attack.

A brute force attack attempts to guess someone’s password by systematically trying to every possible combination of numbers, letters and symbols. But while brute force methods can hack into accounts by finding passwords, the nature of the approach means it can take ages. Imagine how long even the best computers will take to motor through every possible combination of digits in a 20-character password.

A dictionary attack refines this method. Instead of trying every combination of letters, numbers and characters, a dictionary attack uses recognizable words and phrases instead.

This approach reduces the number of potential passwords a hacker has to try to get inside someone’s account. That cuts back on the amount of time and resources a hacker must deploy to get the job done.

It’s a worthwhile approach. While using words and phrases rather than every potential password combination does reduce the chances of a successful guess, it’s a quicker process. And when so many people use recognizable words in their passwords, it’s still worth trying to any hacker.

Hackers also refine the process. They’ll develop lists of words that are relevant to the account or person they’re trying to hack – based on location-specific phrases, the local sports teams, or any other information they’ve got about the person behind the account. Criminals will use terms that are specific to organizations if they’re trying to hack into company servers, or build lists based on the most common password terms.

In other situations, hackers will develop dictionary attack lists based on passwords that were already exposed in security breaches. They’ll also include sequential number sequences and other common characters in their list of attack words, so you may not necessarily be safe if you’ve added “123” to end of your password in order to try and make things more secure.

Dictionary attacks may not be the most effective way to hack an account, but they use fewer resources than brute-force methods. And when too many people reuse passwords, develop passwords based around common words and don’t practice good password security, it’s no wonder that hackers get results.

How can I avoid a dictionary attack?

As time goes on, hacking methods get more sophisticated – which means users have to fight back with increasing ferocity if they want to keep their accounts, details and financial information safe.

Thankfully, there are some simple rules to follow if you want to avoid becoming the victim of a dictionary attack.

The first thing you should do? Eliminate real words and phrases from your passwords, and make sure you don’t have strings of often-used numbers and letters like “123” and “QWERTY”. Dictionary attacks rely on people lazily using these tropes, and avoiding them is the best way to stay protected.

Instead of going down that route, use long passwords with randomized collections of letters, numbers and special characters, and make sure you’ve got a unique password for every account.

That might sound daunting – especially the prospect of remembering all those passwords – so we always recommend that people use a password manager, too. We’ve rounded up the best password managers here. The top options won’t just save all your passwords – they also generate secure passwords, use encryption to protect your existing codes, and highlight any weak passwords you should change.

When an account offers it, you should also deploy multi-factor authentication. This method uses biometric methods like fingerprint recognition alongside third-party apps and text codes to add an extra layer of security to any account or service. Essentially, it means that a hacker can’t reach your account even if they’ve got your password – because they don’t have the extra bit of information required.

Elsewhere, you should investigate the settings section on each app and account. Lots of services enable you to lock people out if they make a certain number of unsuccessful login attempts, and they’ll often demand that the original owner resets their password. If you want to prevent hackers from having free reign to try and guess your password an unlimited number of times, that’s a smart move.

Our final piece of advice? Make sure you change your passwords frequently. A good password manager can help you in this department by saving passwords, generating new codes and providing reminders.

You certainly can’t stop every hacker, especially given how many password lists are leaked on the dark web, but if you change your passwords then you can stop someone getting into your account – even if they’ve got possession of a password that used to work.

Many security experts recommend changing your password every three months, and some services demand that you do this as an extra layer of security.

There’s no denying that dictionary attacks are worrying, especially when hackers are trying to access sensitive information, bank details, medical records or your email and social media accounts. But if you’re smart about your security and avoid common words, phrases and character sequences, you’ll stay safe – and the hackers won’t get far.

We've listed the best password recovery software.

Mike has worked as a technology journalist for more than a decade and has written for most of the UK’s big technology titles alongside numerous global outlets. He loves PCs, laptops and any new hardware, and covers everything from the latest business trends to high-end gaming gear.