Slovníkové útoky: Co to je a jak se jim vyhnout

Given how easily sensitive information can be exploited for nefarious purposes, like data theft and financial fraud, it’s no wonder that hackers remain a constant threat, targeting personal users, businesses and organizations.

Cyber criminals are always developing and evolving their brute force methods, including the notoriously effective dictionary attack, to gain unauthorized access to online accounts.

But what exactly are dictionary attacks, how do they work, and what can you do to safeguard your priceless personal data against them?

Co jsou slovníkové útoky?

A dictionary attack is a type of brute force attack utilized by hackers which attempts to guess passwords for online accounts, like email and social media platforms, and also password-protected networks and documents/files.

This systematic hacking method can breach accounts by running through a ‘dictionary file’ containing a pre-made list of words, phrases, simple variations/number combinations, and commonly known passwords (seized from leaked password libraries); some also have character replacement capabilities.

Hackers of course carry out these attacks to expose – and often exploit – the unfortunate victim’s sensitive data, which could include their name, address, contact number, email address and financial details.

The consequences of stolen data can lead to phishing attacks (by email, social media, calls and texts), further account hacks (if the same password has been used multiple times), financial fraud, and even identity theft.

How Do Dictionary Attacks Work?

Dictionary attacks tend to be most successful against targets with weak passwords (the short/common/predictable kind) for their accounts, leaving their personal data significantly more susceptible to hacking.

To launch an attack, dictionary attack orchestrators will typically follow these three fundamental steps:

• Wide/Narrow Target Focus: While dictionary attacks typically target a broad range of random people, a hacker could also choose a more focused approach, honing in on specific locations, businesses and organizations
• Dictionary Attack List: This involves the creation, or perhaps downloading, of a password dictionary featuring a huge word list (stacked with common words, phrases, passwords and numbers, etc); if the attack has a narrower focus, such as a specific geographical location, the dictionary may feature specific meaningful words to people of that area, like a popular sports team or celebrity
• Dictionary Attack Execution: The hacker’s automated software runs the dictionary attack by using the extensive word list against the target, testing each entry one-by-one in search of a potential match
• Match Found/Failure: A positive match will enable the hacker to crack the password and gain unauthorized access to the victim’s data, likely for malicious purposes such as financial theft, data exposure or blackmail; a match failure will of course keep the hacker locked out

Some of the most highly effective and successful automated software used by dictionary attack hackers includes tools like ‘John the Ripper’, ‘Hydra’, ‘Aircrack-ng’ and ‘Medusa’.

Dictionary Attack or Brute Force Attack?

Before we explore several ways to prevent a dictionary attack from breaching your accounts, let’s firstly identify how it differs from the similar brute force attack:

Dictionary Attacks

Dictionary attacks share the same goal as the brute force variety, but tend to be more effective at cracking weak passwords – or at least having the potential to crack them significantly quicker (sometimes within 24 hours).

This is because, unlike brute force tools that try every possible permutation (more on that below), dictionary attacks concentrate their focus by running a pre-built word list (filled with common passwords and phrases, etc, and even geo-specific/customized words like city names and sports teams).

Although success is never guaranteed, the fact that dictionary attacks are based on anticipating human behaviour (some people still choosing simple passwords over more complex ones) makes them more likely to predict weak passwords.

Brute Force Attacks

Unlike dictionary attacks, the brute force variety typically employs a far more extensive approach: instead of running through a pre-built word list, brute force tools try every possible character combination in search of a password match.

For instance, a brute force tool (set to a ten-character, letters-only match) would begin with the character ‘a’, and then exhaustively work itself through every letter combination – switching out one at a time – until it reaches the end of the alphabet, concluding at ‘zzzzzzzzzz’.

While a brute force attack’s extensive approach often leads to time-consuming operations (lasting days to months), it’s more effective at cracking complex/random passwords; on the flipside, it can be less effective at guessing common weak passwords since it isn’t programmed to specifically find them.

How to Avoid Dictionary Attacks

Although dictionary attacks seem likely to remain a consistent cyber security concern, the good news is that everyone can easily bolster the security of their online accounts. 

Here are several key preventative steps you can take to avoid becoming the victim of hackers’ dictionary attacks:

• Keep Passwords Updated: Stop your various passwords from becoming stale by regularly changing them
• Never Share Login Info: Unless warranted in exceptional situations, ensure that your logins remain private
• Create Strong Passwords: Ensure that your passwords are strong and unique by implementing some complexity and randomness (at least 12 characters, with a mixture of letters, capitalization, numbers and symbols, etc); avoid short, predictable passwords like ‘mypassword123’
• Don’t Use Repeat Passwords: Avoid using the same password over and over – as hackers will often try one set of cracked logins against further accounts
• Consider Using Passphrases: You could also try making the switch to using passphrases, which are essentially longer yet more memorable passwords; for instance, something like ‘why i5 my C@T 5o grumpy’
• Use Two-Factor Authentication: Commonly referred to as 2FA, two-factor authentication bolsters account security by adding another layer of protection; for instance, once activated, logins will now require a texted/emailed one-time passcode to be entered for identity verification
• Use Authentication Apps: Similarly, you can use authentication apps to generate one-time passcodes (which usually expire after 30 seconds) when logging into your accounts; these apps, like Google Authenticator and Authy, can be easily downloaded to mobile devices
• Use Biometric Security: You can implement biometric security features – further forms of 2FA which are incredibly difficult for hackers to impersonate – including facial and fingerprint recognition
• Add Security Questions: Although login security questions arguably pale against more modern 2FA measures like one-time passcodes (see above), they could still prove useful against hackers
• Avoid Public WiFi: Public WiFi hotspots, found in places like airports and cafes, are often unsecured and therefore considered notoriously unsafe; with cyber criminals capable of capturing browsing activity over these security feature-lacking connections, it’s best practise to try and avoid them altogether
• Use a VPN: If you have no other choice but to use public WiFi, or simply want the freedom to surf anonymously, you can use a VPN service, such as Celkem VPN, to encrypt your connection (which masks your IP address and data traffic), guarding your sensitive info from snooping threats
• Limit Login Attempts: Some platforms allow automatic account lockouts after too many failed logins; this can help to fend off hackers (with an inconvenient, temporary lockout time imposed), but do bear in mind that you could also be locked out if you exceed the limit
• Login Resets: As dictionary attacks usually involve repeated login attempts, it could be wise to set up forced password resets (locking your accounts once the attempt limit is reached); this security feature may not be provided by all platforms
• Don’t Ignore Activity Alerts: If a platform provider warns you of suspicious account activity (by notification, email or text), follow it up to check that no unauthorized access has occurred; ensure that you adopt best practises to avoid phishing scams, however (as fraudsters, impersonating trusted companies, can mimic these kinds of alerts)
• Use a Password Manager: With dictionary attack hackers always on the hunt for vulnerable accounts, there’s never been a better time to level-up your cyber security game; password manager apps, like Celkové heslo, can generate strong passwords for you, store them in a secure, master password-protected vault (so you’ll never forget them), and provide one-click logins for instant access to your numerous accounts
• Use Antivirus Apps: Moreover, don’t underestimate the power of antivirus software when it comes to shielding your priceless personal data; TotalAV, our Award-Winning antivirus app, can alert you to dubious content lurking online and on your devices, such as spoof websites and malicious software, like keystroke malware, which can capture your logins and other sensitive data