Have you ever heard the cybersecurity term “dictionary attack”, and wondered what it means? You’re not alone. Here, we’ll break down what a dictionary attack is, and explain what steps you should take to protect yourself from this threat.
What is a dictionary attack?
A dictionary attack is a type of brute-force hacking method that relies on specific lists (i.e. “dictionaries”) of words or phrases the attacker thinks will have the highest chance of success. Unlike a typical brute-force attack, which tries every possible password combination (e.g. “AAA”, “AAB”, “AAC”, and so forth), a dictionary attack is much more focused and efficient.
The list could include words from a dictionary, passwords that have leaked in the past, or common regional references or phrases, like a Florida resident using. They then use automated programs to try combinations of possible usernames and passwords until they’re able to break into the account.
While hackers can use dictionary attacks directly in the login field of an account, many apps and websites protect against this method. If a user enters an incorrect password too many times in a row, some accounts will automatically lock. To get around this, attackers will often use a dictionary attack on a database of hashed passwords they’ve obtained through a data leak.
Dictionary attacks on hashed passwords
When you register with a website or app, your password is often put through a one-way algorithm that scrambles it into a random series of characters. This process is known as hashing and is widely used to secure sensitive data while avoiding storing plaintext passwords.
Hashing is considered preferable to encryption when storing passwords for a couple of reasons. First, in the event of a data leak, attackers won’t gain access to the plaintext passwords. And second, there’s no need for the website to ever know the user’s plaintext password, which keeps it more secure.
But there are ways to crack a hashed password. Here are a couple of techniques that an attacker could apply to a database of hashed credentials to figure out one or more of the original passwords:
Running popular and predictable passwords through commonly used hashing algorithms. If the results match anything in their database of leaked credentials, they’ll know that the hashed password from the data leak corresponds to one of the commonly used passwords, which can then be used to access the associated account.
Using “rainbow tables” for popular hashing algorithms that contain common passwords and their hashed counterparts. If they find any of the leaked password hashes in the table, they’ll be able to see the corresponding original. This effectively reverses the hashing, letting them know the information they need to get into the user’s account.
How to protect yourself from a dictionary attack
It’s impossible to stop every data breach from happening or control how every company protects your credentials. But you can be proactive and take a variety of measures to protect yourself against dictionary attacks:
Create secure passwords. Use a password generator to create strong, unique passwords for all your online accounts, so they cannot be easily guessed or cracked.
Limit password attempts. Check to see if you’re able to limit how many failed login attempts are permitted before the system locks your account. This can help stop criminals from trying unlimited password combinations until they crack the account. It also alerts you to suspicious login activity so that you can change your password.
Change your password if it’s been compromised. If you receive an alert about questionable activity on your account, or if your credentials have appeared in a known data breach, change your password as soon as possible before a potential attacker can use it.
Use two-factor authentication (2FA). Wherever possible, turn on two-factor authentication to provide an extra layer of security for your account. With 2FA activated, a hacker can’t log in to your account with stolen credentials unless they also have access to the device(s) on which you retrieve your single-use codes.
Use a password manager. Password managers can help you create, store, and use strong, unique passwords for all your online accounts.
How can a password manager help protect you?
A dedicated password manager like 1Password can help protect you from potential dictionary attacks and the damage they can cause. 1Password makes it easy to create truly random passwords that an attacker won’t have on their list. But it can do more than just help you generate and store strong passwords.
1Password also works as an authenticator for websites and apps that support 2FA. This way, you save time because you don’t need to open your email or an authentication app to get your verification codes. Instead, 1Password will autofill these codes in your browser the same way it fills your login information.
Watchtower is a 1Password feature that alerts you if any of your accounts show up in known data breaches, giving you the chance to update the associated credentials before an attacker can use them further. It also lets you know about any weak or reused passwords that are currently saved in your vaults, prompting you to change them to something stronger.
Password security can be simple
You don’t have to be an IT expert to have strong password security. Follow cybersecurity best practices, such as using a dedicated password manager like 1Password, to protect your digital life from dictionary attacks and other cybersecurity threats.