What is a dictionary attack?

What Is A Dictionary Attack? Brute Force Attacks

In case you’re wondering.. nope, it’s not your doggy tearing your dictionary to shreds! It’s actually geeky computer-speak for a method that’s often used by would-be hackers who are trying to break into a computer, server or website using a type of brute-force method. The phrase dictionary attack is aptly named because the hacker will try every word contained in the dictionary plus a whole host of other words/phrases that are carelessly used as passwords.

Doesn’t a dictionary attack take too long?

If you’re not concerned because you think this would take too long, think again. Your average hacker typically doesn’t sit in their bedroom clacking away at their keyboard for hours with a dictionary in their hand flicking the pages sequentially from A to Z. Instead, they normally use password-cracking software to automate the process.

What if my password isn’t in the dictionary?

If you think that just because you’ve added “123” on the end of your password, you’ll be safe; you probably won’t. There are literally thousands of variations run by the password-cracking software to deal with this. Similarly, if your password sort of spells a word that’s easy to remember but is alpha-numeric in nature, you can still fall foul of the dreaded password-cracking software. For example, if your name is Bobby and you want to use a password that’s easy to remember, you might use “8O88Y” as a password, because the 8 looks a bit like a capital B. You may substitute the number 0 for the letter O. If you currently do this, it’s time to change your password because much of the dictionary and brute force attacking software will try these variations too.

How to prevent a standard dictionary attack

In most cases, it’s fairly simple. If you want to add a layer of protection to your website (e.g. WordPress, Joomla, Drupal, etc.) there are extensions that can do this by limiting failed login attempts to a specific number; let’s say 5. After 5 failed password attempts, you’ll be prevented from trying again for a while. This is usually enough to put off a standard dictionary attack as the software will hit a wall, and most likely move on to another server to try afresh.

Server protection

If you run a server or you pay for hosting, you’ll most likely want to configure Fail2Ban. It does a similar job and it’s free. In most cases, it will prevent common brute-force, dictionary attacks by blocking the offending IP address that the attempted dictionary attack is coming from.

Should I be concerned?

If you install dictionary attack prevention software on your website or server and then see a ton of blocked or banned IP addresses in the list, it’s not normally something to be concerned about. These are extremely common, particularly with WordPress websites so you don’t need to panic. Just be safe in the knowledge that if you’ve chosen a strong password that has a combination of lower/uppercase letters together with numbers and symbols (e.g. %&@), you’ll be safe enough. Alternatively, if you’d like some help from a reliable digital marketing agency give us a call.