My system administrator has my server locked down really tight so that I
wouldn’t be vulnerable to what he called “dictionary attacks”. However this
weekend he said that my server was being impacted by exactly that – a
dictionary attack. Was he lying, or am I misunderstanding something? What’s a
I doubt that your system administrator was lying. (OK, I’ll come clean – I’m
the system administrator in this case, and the question came from one of my
There’s definitely a little confusion as to what constitutes a dictionary
attack – not so much about the technique, but all the different places that the
technique might be applied.
Become a Patron of Ask Leo! and go ad-free!
First let’s define the term: a dictionary attack is an attempt to thwart
security by simply trying lots of common words, login names or passwords until
one works. It sounds very tedious, and in fact it is – but that’s exactly what
computers are good at. Give them a list of words (a dictionary), and a program
to try them all, and a computer will happily whack away at it until something
That’s one of the reasons we harp on secure passwords – you’d be surprised
at how many passwords can be “guessed” by a dictionary attack that does nothing
more than try pairs of words out of an actual dictionary, combined
The confusion is that “dictionary attack” is nothing more than a technique.
There are many places the this technique can be used.
The most obvious is, as I’ve mentioned, attempting to login to a computer or
on-line service. A dictionary attack will try lots of common user names, and
lots of common passwords, in rapid succession. User names are actually the
easier part – we all seem to want to use our first name. Again, that’s why
strong passwords are such a must.
For “FTP” style access (or rather, SFTP – ‘secure’ FTP), servers can be
configured to require a different type of authentication using cryptography
that prevents even the correct user name and password combination from working.
This effectively stops dictionary attacks against sftp access from ever
possibly working. I’ll bet that’s exactly what your system administrator has
done for you.
But “login” access isn’t the only place that intruders might attempt to
compromise or misuse your system. Consider for a moment, spam.
There are several techniques that spammers use to target their messages.
We’ve talked about how they harvest email addresses from web pages, for
example. Another, though, is in fact a type of dictionary attack.
with a list – a dictionary – of common account names and start sending email
Domain names (the part after the “@” in an email name) are public record.
It’s not hard at all to see what domain names are taken and in many cases, even
verify that they have some kind of email associated with them.
Spammers then just crank up their spam sending machine with a list – a
dictionary – of common account names and start sending email to all the
addresses that result, whether or not those recipients actually exist. It
actually doesn’t matter that most might not, because a few will. And for those
few, the spam will have made it through, and made the exercise worthwhile.
Let’s look at an example – “askleo.info” doesn’t actually have email
associated with it, but if it did, spammers might start sending spam to
email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org,
email@example.com, firstname.lastname@example.org, email@example.com, and so on. They’ll just
run through thousands and thousands of possible email addresses in the hopes
that one or two will work. And in the list above — well, all things
considered, it seems likely that “firstname.lastname@example.org” might well work, were I to
set up email on that domain. So out of the 7 attempts in that short list, 1
might actually have gotten through.
While that’s still a dictionary attack, it’s an attack on a different
interface. Rather than attacking your system’s login in an attempt to gain
access, this is an attack against your email domain in an attempt to deliver
spam. And the tools to deal with it are, naturally, quite different. The lock
down that protects your login doesn’t apply to email delivery. And the changes
to minimize the impact on email attacks don’t help against login attacks.
Web forms – web pages where you fill in information to login or perform some
action, are subject to these attacks as well. That’s why most will place a
limit on the number of times you can fail, after which they lock you out for a
while – this prevents the automated tools from using a brute force dictionary
attack from gaining access to the account.