In a dictionary attack, attackers log in to a user account by trying a predefined list of likely passwords known as a “dictionary.” These passwords often include the most common password choices like 123456, password, qwerty, letmein, or slight variations on them.
Unlike more generic brute-force attacks, which attempt every possible combination of characters, a dictionary attack focuses on speed and efficiency by trying only high-probability candidates. The attacker chooses a single username (e.g., admin@example.com) and systematically cycles through password guesses from the list.
Why Dictionary Attacks Work
Despite years of security awareness campaigns, weak and reused passwords remain widespread. Just recently, attackers gained admin access to McDonald’s AI hiring chatbot by guessing the password “123456”—a reminder that dictionary attacks still work because someone always seems to “leave the front door unlocked.”
These tactics aren’t limited to outdated systems or careless users, either. The hacking group Scattered Spider – linked to breaches at companies like North Face and MGM – uses credential-based attacks as a core part of its strategy. Thus, even well-resourced companies are vulnerable when account hygiene breaks down, as shown by automating password guesses and leveraging known credential leaks.
What Makes Dictionary Attacks Risky
Modern web apps usually enforce lockouts, throttling, or CAPTCHA after repeated failed logins, making brute-force attempts easier to catch. But attackers aren’t just testing Gmail or Okta logins. They’re going after overlooked systems like Remote Desktop Protocol (RDP) endpoints, legacy VPN portals, and webmail logins, which often operate outside centralized identity or monitoring tools.
These services are vulnerable for a few key reasons:
Exposed to the public internet: RDP servers or VPN gateways are often directly accessible, offering a clear target surface. A quick Shodan scan can identify thousands of them.
Weaker or inconsistent enforcement: Unlike modern SSO or IAM-managed apps, these systems may not enforce MFA, strong password policies, or account lockout thresholds.
Legacy authentication protocols: Older VPNs and mail servers often support basic auth or unencrypted login methods, making them easier to brute-force or intercept.
Separate logging and alerting: Failed logins on an RDP server might not trigger the same alerts as failed logins through the main identity provider—if they trigger anything at all.
For attackers, that’s the perfect setup: a login portal no one is watching closely, using passwords someone reused three years ago.
How to Defend Against Dictionary Attacks
Because dictionary attacks rely on common mistakes (like weak or reused passwords) most defenses are rooted in prevention. Here’s how to reduce your risk.
Enforce Strong Password Policies: Require passwords that include a mix of characters, length, and unpredictability. Avoid known weak or leaked passwords.
Use Multi-Factor Authentication (MFA): Even if a password is guessed, MFA can stop unauthorized access.
Limit Login Attempts: Implement account lockouts or temporary bans after several failed logins.
Monitor Login Activity: Track repeated failed login attempts for the same account and alert your security team.
Block Known Attack Sources: Use IP blacklists or geo-blocking to stop repeated attempts from high-risk regions.
Learn how password spraying compares, and why it’s harder to detect but just as dangerous.
Take Action
Stopping dictionary attacks starts with eliminating the easy guesses—these steps help you do that.
If you’re managing authentication for a business or organization:
- Audit your login systems for brute-force protection.
- Check whether common accounts (like admin, support, info) are exposed to external login.
- Make sure MFA is enforced for all user accounts—not just executives.
If you’re an individual user:
- Use a password manager to generate and store complex passwords.
- Never reuse passwords across sites.
- Turn on MFA wherever it’s available.
Bolster offers an extensive monitoring capability that helps detect dictionary attacks and many other threats to your IT security, eliminating the need for trust & safety professionals to spend hours researching, analyzing, and documenting issues. To learn more, contact us for a demo.
