Security Encyclopedia

Dictionary Attack

A Dictionary Attack is a kind of a brute-force assault on a cryptosystem or authentication system.

In a dictionary attack, the perpetrators attempt to break the encryption or gain access by spraying a library of terms or other values. The data used for automated insertion into the target can be words in a dictionary or number sequences, however it is growing more common for data in a dictionary attack to be less random (e.g. usernames and passwords from a prior data breach).

Poor password hygiene such as superficially updating passwords with successive numbers, symbols, or letters makes dictionary attacks easier to execute. Passwords and other shared secrets themselves lay the foundation for these kinds of attacks, which result in account takeover (ATO) and the financial fraud that follows.

Example:

“Simply ‘updating’ a password by adding a number or a special character provides inadequate protection from account takeover. These simple fixes don’t help because, as we assume hackers already have your password from prior breaches, a dictionary attack can easily crack the user’s addition of these characters, since such an attack will run through millions of combinations in a short amount of time.”