Dictionary attacks are a common method hackers use to try to crack passwords and break into online accounts.
While these attacks may be effective against people with poor account security, it’s extremely easy to protect yourself against them by using strong passwords and two-factor authentication. This article explains how dictionary attacks work and how to prevent them.
Dictionary attack definition
A dictionary attack is a type of brute force attack where an attacker uses a program to try and guess your password by testing a huge selection of words and phrases, one by one. The dictionary in the term is literal; the attacker is going through all the words in the dictionary, as well as commonly used passwords or password structures (like names and dates).
This means that if you protected your account with password123 or something along those lines, chances are an attacker has put it in their dictionary. Same goes for passwords leaked in a breach, as many people reuse their passwords multiple times, whether because of password fatigue or simply a lack of awareness.
Many people try to improve their password security by using numbers or symbols in place of letters, so P@55word or something along those lines. However, attackers have figured out this tactic and will substitute capital letters, numbers, and symbols in commonly used phrases.
One example of a successful dictionary attack was the 2012 Dropbox security incident, in which an attacker got hold of a Dropbox employee’s password, added that to their dictionary, and then was able to access Dropbox’s systems. As many as 68 million users’ credentials were leaked in this attack, making it one of the worst in cloud history.
Protecting against dictionary attacks
As serious as dictionary attacks can be, they’re one of the easiest attacks to avoid. First of all, online services have some responsibility here, as they should have systems in place that lock out a user making multiple access attempts. As dictionary attacks require a lot of attempts, this is a good way to thwart them.
But you can make a successful dictionary attack virtually impossible by creating strong passwords for all your accounts (and make sure each password is unique for good measure). Any password you use more than once leaves you open to attack, as that Dropbox employee found out.
To create a strong password, you need two things: the password needs to be at least 16 characters long and random. Random means exactly that, too; you can’t use a regular word and then substitute letters with numbers. Attackers are wise to that and get around this with ease.
To create random passwords, you should use a password generator, which will do a better job than any human can. Of course, there remains the issue of remembering this random password. This is where password managers come in.
How Proton can help fight dictionary attacks
A password manager is a program that generates, stores, and autofills your passwords as you browse the web. They’re the only viable way to maintain the use of random passwords. They’re also a massive upgrade to your online quality of life, as autofilling passwords with one click is wonderful if you’ve previously typed out your passwords.
However, at Proton we felt that most password managers on the market left a lot to be desired, which is why we developed Proton Pass. It offers the baseline features like generating and saving passwords, but then goes a lot further.
For one, Proton Pass offers end-to-end encryption, which encrypts your passwords at all times. Even if your traffic to our servers was somehow intercepted, the attackers would only get away with encrypted data, nothing they can use.
We also offer Pass Monitor, a tool that lets you track which of your passwords are weak, and thus more susceptible to a dictionary attack. It also alerts you when any of your email addresses have been exposed in a data breach, giving you the ability to change your password before an attack is carried out.
When you use Proton Pass to generate a password, you also have a lot more options that improve password entropy, or how random it is. Also, you can choose between strong, random passwords or long passphrases, which are a lot easier to remember, perfect for securing access to your password manager.
We also offer passkeys, a state-of-the-art technology that allows for passwordless authentication, thereby making you immune to dictionary attacks. Few password managers offer this functionality, and none are as flexible as Proton Pass, letting you use passkeys on any system that supports them.
We can offer these advanced features, and more, because we are entirely funded by subscriptions — no venture capital, no advertisers — and thus rely on you to keep us in business. As a result, we’ll always put you, our community, first. If that sounds like something you’d like to be a part of, join Proton Pass today.
