Dictionary Attack

A dictionary attack narrows the search space of brute force by guessing only plausible candidates: common words, names, dates, leaked credentials, and rule-based mutations ("Password" → "P@ssw0rd!2025"). Modern password-cracking tools (Hashcat, John the Ripper) layer dictionaries, masks, hybrid rules, and Markov models against captured hashes to recover passwords orders of magnitude faster than pure brute force. Defences focus on the password-storage layer (memory-hard salted hashing with Argon2id, bcrypt, scrypt, or PBKDF2 with high iteration counts), banning known-bad and breached passwords, encouraging long passphrases, and combining all of this with MFA.