How a dictionary attack works

Last Updated on July 15, 2018 by Dave Farquhar

A dictionary attack is a common way to steal a password. Here’s how a dictionary attack works, in layperson’s terms. More importantly, here’s how to beat the attack.

A dictionary attack is a much more efficient alternative to brute force hacking, but it requires a local copy of the user database to work. That usually means stealing the database first, if a bad guy is doing it. But nothing stops a company from doing a dictionary attack on its own user accounts to make sure people aren’t using insecure passwords. It’s unusual, but not unheard of.

How a dictionary attack works
A dictionary attack compares millions of precomputed hashes against a stolen list of hashed passwords.

No good system stores passwords as straight plan text. Instead, it stores a hash of the password. It’s not exactly encryption. If you’re sitting for the CISSP exam soon, you need to know the difference. If not, think of it like encryption, or scrambling.

Computing these hashes takes time. But there are a limited number of these hash algorithms. There are also a limited number of passwords that humans actually use. A dictionary attack just stores precomputed hashes for millions of passwords and tries them.

This may make your eyes glaze over but bear with me for a second while we look at some hashed data.

MD5 is an obsolete but still-common method. Here’s what the word password looks like after you hash it with MD5:


Here’s what passw0rd looks like after you hash it with MD5:


It’s completely different, even though I changed a single character. As far as the computer is concerned, they’re two completely different words. If I’m a bad guy, my “dictionary” is just a file full of lines like the two in boldface above.

Now, the GCHQ (the British NSA) currently recommends you use four unrelated words as a password. I was skeptical. Then I did the math. Yes, for now, it’s good enough.

Why does this work, when people like me have been saying for years not to use dictionary words in passwords? Well, as long as the words are random and unrelated, it works. Let’s take the infamous XKCD Correct Horse Battery Staple example.






Notice that all of the hashes are exactly the same length. I can’t derive the fifth one from any of the preceding four. So that’s why stringing four random words together defeats a dictionary attack.

Does the order matter? You tell me:


Now here’s the danger: People will cheat and use four words from their favorite book or song and think they’re creating good passwords. Famous four-word combos are already in the attackers’ dictionaries. I guarantee that.

To do this right, pick up the nearest book. Turn to a random page and point at a word without looking. If one of the words fits with the others, discard it and pick another one. You want something as nonsensical as correct horse battery staple. But don’t use that one.

I can’t tell you if you picked a good four-word combination but I can tell you how to find if you picked a bad one. Plug your combination into an MD5 generator. Take the MD5 and copy and paste it into an MD5 reverser. If they can reverse it, it’s a bad password. Pick another one.

Technology doesn’t stand still. Will this still be good advice in five years? Ask me in the early 2020s.

The biggest problem with security is that we drive ourselves mad looking for A-plus security. In doing so we overlook good enough.

I work with my high-achieving clients to not overlook good enough. Four-word passwords make our lives easier and today, they’re good enough. So don’t feel guilty about using one.

So that’s how a dictionary attack works. More importantly, now you know how to defeat a dictionary attack. You can’t control how other people store your passwords, but you can make your password too hard to guess anyway. That’s security.

If you found this post informative or helpful, please share it!

One thought on “How a dictionary attack works

  • September 19, 2016 at 10:13 am

    Excellent overview.

Comments are closed.

%d bloggers like this: