Dictionary Attack
What is Dictionary Attack?
Dictionary AttackA targeted password-guessing attack that tries entries from a precompiled list of likely words, leaked passwords, and rule-mutated variations.
A dictionary attack narrows the search space of brute force by guessing only plausible candidates: common words, names, dates, leaked credentials, and rule-based mutations ("Password" → "P@ssw0rd!2025"). Modern password-cracking tools (Hashcat, John the Ripper) layer dictionaries, masks, hybrid rules, and Markov models against captured hashes to recover passwords orders of magnitude faster than pure brute force.
Why wordlists are so effective
Real human passwords cluster tightly around a tiny fraction of the keyspace. The canonical wordlist, rockyou.txt, comes from the December 2009 RockYou breach, in which a SQL injection flaw exposed roughly 32 million credentials that the company had stored in plaintext. The deduplicated list of 14,344,392 passwords still ships by default with Kali Linux and is usually the first artifact a penetration tester throws at a captured hash. Later compilations such as RockYou2021 and RockYou2024 aggregate billions of leaked strings from many breaches, though most cracks still come from the original few million.
How a modern crack runs
Attackers rarely use a raw wordlist. They apply rule files (e.g. Hashcat's best64, dive) that perform leetspeak substitution, case toggling, and year/suffix appending, then fall back to mask and Markov attacks for the long tail. On commodity GPUs this recovers weak passwords behind fast hashes (MD5, unsalted SHA-1, NTLM) in seconds.
Defences
Defence lives mainly in the storage layer: memory-hard, salted hashing with Argon2id, bcrypt, or scrypt (or PBKDF2 with a high iteration count) makes each guess expensive. Combine this with breached-password screening (e.g. Have I Been Pwned's k-anonymity API), long passphrases, rate limiting, account lockout, and MFA so a recovered password is not enough on its own.
flowchart LR
A[Captured password hash] --> B[Load wordlist<br/>rockyou.txt]
B --> C[Apply mangling rules<br/>leetspeak, suffixes, case]
C --> D[Hash each candidate<br/>with target's salt + algo]
D --> E{Digest matches?}
E -->|Yes| F[Password recovered]
E -->|No| G[Next candidate]
G --> C● Examples
- 01
Cracking a leaked password database with rockyou.txt and Hashcat rule files.
- 02
Trying every word from a corporate-themed wordlist against a captured NTLM hash.
● Frequently asked questions
What is Dictionary Attack?
A targeted password-guessing attack that tries entries from a precompiled list of likely words, leaked passwords, and rule-mutated variations. It belongs to the Attacks & Threats category of cybersecurity.
What does Dictionary Attack mean?
A targeted password-guessing attack that tries entries from a precompiled list of likely words, leaked passwords, and rule-mutated variations.
How do you defend against Dictionary Attack?
Defences for Dictionary Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Dictionary Attack?
Common alternative names include: Wordlist attack.