Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What’s a Dictionary Attack?

An attack based on lists and persistence.

A dictionary attack is a common brute-force way of achieving a hacker's goal. The goal of a dictionary attack could range from compromising your system to sending spam.
One kind of dictionary.
One kind of dictionary. (Image:

One of the terms that comes up frequently in discussions about security and particularly password security is dictionary attack.

On the surface, it’s very simple, but it has implications on more than just passwords and more than just signing in.

It even applies to spam.

Become a Patron of Ask Leo! and go ad-free!


Dictionary attacks

Dictionary attacks try everything in a pre-defined list of words, discovered passwords, or more. It can be a quick attack against an offline copy of a stolen password database, or a slow persistent attack against some user interface. Dictionary attacks also apply to things like spam, where lists of common usernames are used as spam targets.


When we think of a dictionary, we typically think of a book (or now a website) that lists words and their definitions.

In the realm of online security, we only need half of that: the list of words.

But in this context, dictionary applies to more than just a list of words. It can include:

  • A list of common passwords
  • A list of previously discovered passwords
  • A list of common first names
  • A list of… well, just about anything

The key is that a dictionary is just a pre-compiled list of strings that might have applicability to whatever hack is being attempted.


The attack that follows is very simple:try everything in the dictionary.

Most online systems block or delay you if you enter your password too many times. While dictionary attacks can occasionally be used here — perhaps trying the three most common known passwords in turn1 — that’s inefficient and labor intensive.

Instead, dictionary attacks take either of two approaches: offline or persistent.

Offline attacks are just that: attacks that operate on offline copies of compromised copies of password databases for a service that has perhaps been hacked. The attacker tries all possible passwords, or a massive database of previously discovered passwords, at exceptionally high speed, and can often discover the password for a large number of the accounts in the database.

Persistent attacks are just that: persistent, but slow. They might make one attempt every minute (1440 attempts per day), but be ready to keep that up doggedly for year after year.2 They can often bypass login delays by changing the username being attempted or by distributing the attack across a network of bots. Since it’s all automated and often running on compromised machines, it costs the attacker nothing. If it comes up with even a few compromised accounts in a year, it’s a win for them.

More than passwords

I mentioned spam, and one possible dictionary being a list of common first names.

Many spam sources don’t even have a list of known email addresses. They just perform a dictionary attack using common names as email addresses on popular email services. For example,they might send spam to “”, and “”, and “”, and “andy” and “bob” and so on and so on, regardless of whether those emails are valid.

Since first-name email addresses are considered valuable, easy to remember, and in some cases even cool, it’s very likely that this form of dictionary attack will be successful at finding a working account more often than not.

It’s still a dictionary attack, just on a different interface, trying to reach your inbox rather than gain access to your account.

CAPTCHA is one result

Be it signing in or just leaving a comment on a website, persistent dictionary attacks are the bane of any online service. I run into it in various forms here on Ask Leo!.

It’s one reason I had to resort to using CAPTCHAs — “prove you’re human” tests3 — on some of the places my site was getting abused.

Remember, every site you visit is experiencing this. Every site is trying to distinguish your valid attempt at signing in from the constant and persistent attacks it’s experiencing.

Do this

So, what does this all mean for you?

Two things.

First, don’t use passwords that would appear in a language dictionary. Even one or two dictionary words combined could be discovered in a dictionary attack. If you use a passphrase, length matters: use four or more words to be secure.

Don’t use passwords that would appear in any other kind of dictionary. If your password has been discovered anywhere even once, then it’s possibly included in someone’s dictionary of discovered passwords.

Long passwords of random characters are best, making sure to use a different password for every site.

And finally, have a little patience with the sites and services throwing CAPTCHAs or other security measures at you. They’re under constant attack and are trying to keep themselves and you as secure as possible.

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio


Footnotes & References

1: Which will still be successful a depressingly high number of times.

2: It can be fascinating to watch. I’ve seen it happening in real time in my server logs: a slow but persistent attempt to sign in over and over and over again, 24 hours a day, seven days a week. (And every server on the planet is under this kind of constant attack.)

3: There’s now proof of concept AI that can decipher some CAPTCHAs, so I’m not sure where this is headed long term.

5 comments on “What’s a Dictionary Attack?”

    • Was he though? Not that hard to add a couple of incrementing digits to the slow-but-steady attack.

      The one that gives me pause are those folks who add their birth year, no to avoid attack, but to hopefully come up with a unique email address, their preferred one already being taken. leo2023@something for example. Except it instantly gives away a piece of personally identifying information. This might make for a separate tip.

  1. I use unique, 16-character passwords generated by my password manager and I enable 2FA where available. If the account is important (needs to be secure for any reason) but does not support 2FA (excluding forums, etc.), I don’t sign up. My theory is that if the site owner/master doesn’t care enough about my security to support 2FA and long passwords, I’m probably better off not having an account/information there. For sites where I post comments/replies, etc. I avoid including too much specific personal information, even in my profile. While I may include detailed information about how I do something, I never include any specific personal information about myself or my family/friends, even their names (when possible). I think what I do/say/post online may well be as important as any other security measures I take to remain safe online.


    Ernie (Oldster)

  2. Dictionary attack… I had to chuckle because the robo-call I just received, but did not answer, was probably a “dictionary attack”. Robo-calling machines call thousands of 10-digit numbers like 213-222-0001, 213-222-0002, 213-222-0003, at once until a person or answering machine answers. BINGO! They know they dialed a working phone number. If you ANSWER the call, they know even more; a real live honest-to-goodness person (errr, I mean a possible victim).


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.