A dictionary attack is a brute-force technique that guesses passwords by testing words from a pre-compiled list rather than trying every possible character combination. The attacker uses a 'dictionary' of common passwords, actual dictionary words, and credentials from past data breaches.
This approach is far faster than random guessing because most people choose weak, predictable passwords based on real words, names, dates, or common phrases. An attacker might test 'password123', 'qwerty', 'admin', 'letmein', or username variations within seconds rather than hours.
Why it matters: Dictionary attacks succeed against poorly chosen passwords, making them a standard first step in unauthorised access attempts. They work on website login forms, email accounts, Wi-Fi networks, and system logins without needing advanced technical skills.
Common variants include:
- Hybrid attacks: combining dictionary words with numbers or symbols ('password1', 'password2')
- Reverse dictionary attacks: starting from leaked password databases and testing them against known usernames
- Targeted dictionary attacks: using personal information like birth dates, pet names, or company-specific terms
What you should do: Use passphrases combining unrelated words (not from dictionaries), add uppercase letters and numbers, avoid dictionary words entirely, and enable two-factor authentication. Organisations should implement account lockouts after repeated failed login attempts and deploy password managers to generate truly random credentials.