top of page

What is a Brute-Force or Dictionary Attack?

Brute Force or Dictionary Attack Header Image

Tired of being told your password isn’t complex enough, long enough, random enough, or unique enough? Yeah, damn that Security Team of “password perfectionists”, our choice of passwords never seems good enough for them.

Fortunately, they’re only trying to protect us and our systems against common “brute-force attacks” and “dictionary attacks” - both really popular methods hackers use in an attempt to log in to your account by systematically checking and attempting all possible passwords and passphrases until the correct one is found.

How are these conducted?

Both types of attacks are conducted using automated software programmes specifically designed for this purpose, which can try thousands of words per minute.

Brute-force attacks involve repeated login attempts using every possible letter, number, and character combination to guess a password. Whereas Dictionary attacks are typically guessing attacks using a pre-compiled list of options. Rather than trying every option, a dictionary attack will only try complete options that are likely to work. Commonly used password lists, famous names, pet names, movie or television characters, and other words can all be part of a dictionary list.

Laptop Password Image

Who are the targets of these attacks?

The ideal targets of a dictionary attack are typically users who choose weak, easily guessable passwords, such as "password" or "1234" or those users who re-use passwords across different accounts.

These types of attacks are particularly effective against users who use short passwords or commonly used phrases as their passwords, as these can be easily found in a dictionary or on the Internet. If your password is commonly used or has been on another website that has been hacked, there is a good chance that it is on a password list in the hands of the hackers.

What happens if your account is breached?

MAYDAY! If your account is hacked, it means that an unauthorised person has gained access to your personal information or finances and can potentially use it for malicious purposes. Depending on the type of account that has been compromised, the hacker may be able to access sensitive information such as your personal contacts, and financial information, or even steal your identity.

With access to your email or social media account, Hackers may send spam or phishing messages to your contacts. If they get into your financial accounts, they could make unauthorised transactions or steal your money. A hacker with access to your personal information will use it to open new accounts in your name or apply for credit cards or loans.

In addition to the above, your hacked account can also be used to launch cyber attacks on other systems or to gain access to other online accounts.

It's important to take steps to secure your accounts and to monitor them regularly for any suspicious activity.

How do you protect yourself?

Dictionary or brute force attacks are not only limited to online attacks, but also offline attacks. Some of the steps below are helpful to avoid falling for these attacks:

Locked Account icon

Configure settings so your account is locked after a maximum number of authentication attempts is reached.

Multi-Factor Authentication MFA 2FA icon

Use multi-factor authentication to log into your accounts.

Strong Unique Password icon

Make use of a strong, unique password for

every online account.

Computer Haveibeenpwned icon

Check to see if your credentials have been leaked.

Password Manager Safe icon

Use a password manage that generates and stores complex, unique passwords for each account.

Overall, brute-force and dictionary attacks are common and potentially dangerous methods of breaking into computer systems, but they can be effectively mitigated through the use of strong, unique passwords and two-factor authentication.


GoldPhish educates end-users on the cyber threat and helps build more secure organisations with awareness training and simulated phishing.

Get in touch for more information:


bottom of page