FlagHack logoFlag{Hack} Coming Soon

Dictionary Attack

A Dictionary Attack is a type of brute force attack where the attacker uses a list of common passwords or words (a “dictionary”) to guess the correct password. Instead of trying every combination, it focuses on the most likely passwords first, making it faster than simple brute force methods.

These attacks are based on the assumption that many users pick easy-to-guess passwords like “password123” or “qwerty”. Dictionary attacks are particularly effective against weak or commonly used passwords.

Variants

  • Static dictionaries: Pre-built lists of common passwords, often based on leaked databases.
  • Custom dictionaries: Tailored to the target (e.g., names, pet names, or domain-related terms).

Impact

If successful, attackers can gain access to accounts or encrypted data. It's a common method used in account takeover attacks and during penetration tests. The damage can range from minor breaches to full system compromise.

Discoverability

Like brute force, dictionary attacks generate many failed attempts, making them fairly easy to detect. However, they may be harder to distinguish from legitimate login attempts if the dictionary is small and the attack is slow.

Tools

  • John the Ripper: Supports dictionary files for offline attacks.
  • Hydra: Can perform dictionary-based attacks across online protocols.
  • SecLists: A massive collection of dictionary files used in penetration testing.