Brute-force and dictionary attacks are both cybersecurity attacks in which the attacker attempts to log into an account by using different passwords to find the correct one. These common attacks often succeed because many users use common variations on a few passwords. Brute-force and dictionary attacks employ different types of systemic approaches, rather than simply entering random strings of characters.
These attacks are also popular because once attackers have the correct password for an account, they can log in like any other user. No additional exploitation is necessary, and any security controls are bypassed. A successful brute-force or dictionary attack is particularly rewarding for the attacker when the compromised account belongs to a system administrator, which has greater privileges than an ordinary user account.
Brute force attacks try every single possible combination of characters in the keyspace to identify the correct password for a user's account. Attackers typically use software to automatically test the large numbers of possible passwords that this type of attack requires. Virtually all organizations have rules for their passwords, which attackers would incorporate into their attack by ensuring the passwords they try to meet these criteria.
A brute-force attack will eventually succeed given enough time, assuming the target system doesn't employ appropriate countermeasures. The critical issue is whether the attack will succeed quickly enough to make the attack worthwhile, which depends on the number of possible combinations. A four-digit PIN contains only numbers, so it only has 10,000 possible combinations. A standard eight-character password has over 2.8 trillion possible combinations, even if it only contains alphanumeric characters.
A dictionary attack is a type of attack in which the attacker has a list, or dictionary, of words and phrases that members of the target organization commonly use as passwords. The attacker can then use the dictionary entries and their variations to guess the password, rather than randomly-generated passwords.
Dictionary attacks are best suited for systems with weak password rules, especially those that allow passwords to be actual words. However, most systems today require strong passwords that contain numerals and special characters. In addition, modern systems also prohibit common passwords like "password", "123456" and "letmein".
The most effective attack against a brute-force or dictionary attack is to lock the account after a certain number of consecutive unsuccessful attempts. Some systems also implement additional measures when a user repeatedly fails to login successfully. For example, an iPhone can be set to wipe all of its data after 10 failed attempts.
An administrator can also increase the time needed to log in while ensuring authorized users aren't significantly inconvenienced. For example, a delay of 1 second is unlikely to bother a user, but it can quickly become significant when attempting a brute-force attack. This countermeasure is particularly effective when the attacker is unable to execute multiple attacks simultaneously, a tactic known as parallelizing the attack.
Another possible response to multiple failed logins is to require a captcha, which is a challenge-response test designed to determine whether the login attempts are coming from a human user. In addition to identifying automated attempts, captchas also significantly slow down brute-force attacks.