A dictionary attack is a credential-cracking methodology frequently leveraged to compromise authentication systems by systematically cycling through pre-compiled lists of potential passwords. Also referred to as a dictionary-based attack, this technique exploits the tendency of users to select passwords based upon standard words, frequently used phrases, proper names, or predictable character combinations. Additionally, attackers frequently use dictionary-based methods to automatically enumerate valid email addresses for spam campaigns.
Unlike brute-force attacks, which exhaustively attempt every conceivable permutation of characters (consuming significant computational resources and time), dictionary attacks leverage predefined wordlists containing commonly selected or leaked passwords, enabling more rapid and resource-efficient compromise attempts.
Dictionaries and specialized software tools for performing dictionary attacks are widely available, both commercially and freely within security community resources. Dictionaries range in scale from thousands to millions of entries. IT administrators and security specialists commonly leverage these tools and dictionaries proactively—conducting security tests, penetration assessments, and password audits—to evaluate their systems' susceptibility to this attack vector.
A common mitigation technique involves enforcing password-creation policies that automatically reject credentials exclusively derived from dictionary entries or predictable password lists. However, overly restrictive dictionary filtering policies may adversely impact user experience and create difficulty in selecting compliant passwords. Security practitioners must therefore balance password complexity requirements with practical usability considerations.
Another critical policy is eliminating "Joe Accounts"—user accounts where the username and password are identical—as these accounts are frequently the primary targets of automated dictionary attack tools. Security administrators should, at minimum, implement controls prohibiting the creation of Joe accounts and enforce password complexity guidelines to minimize successful credential-guessing attempts.