Helping people with computers... one answer at a time.

A dictionary attacks is a common brute force way of achieving a goal. The goal of a dictionary attack might range from compromising your system to simply sending spam.

My system administrator has my server locked down really tight so that I wouldn't be vulnerable to what he called "dictionary attacks". However this weekend he said that my server was being impacted by exactly that - a dictionary attack. Was he lying, or am I misunderstanding something? What's a dictionary attack?

I doubt that your system administrator was lying. (OK, I'll come clean - I'm the system administrator in this case, and the question came from one of my clients.)

There's definitely a little confusion as to what constitutes a dictionary attack - not so much about the technique, but all the different places that the technique might be applied.

First let's define the term: a dictionary attack is an attempt to thwart security by simply trying lots of common words, login names or passwords until one works. It sounds very tedious, and in fact it is - but that's exactly what computers are good at. Give them a list of words (a dictionary), and a program to try them all, and a computer will happily whack away at it until something works.

That's one of the reasons we harp on secure passwords - you'd be surprised at how many passwords can be "guessed" by a dictionary attack that does nothing more than try pairs of words out of an actual dictionary, combined together.

The confusion is that "dictionary attack" is nothing more than a technique. There are many places the this technique can be used.

The most obvious is, as I've mentioned, attempting to login to a computer or on-line service. A dictionary attack will try lots of common user names, and lots of common passwords, in rapid succession. User names are actually the easier part - we all seem to want to use our first name. Again, that's why strong passwords are such a must.

For "FTP" style access (or rather, SFTP - 'secure' FTP), servers can be configured to require a different type of authentication using cryptography that prevents even the correct user name and password combination from working. This effectively stops dictionary attacks against sftp access from ever possibly working. I'll bet that's exactly what your system administrator has done for you.

But "login" access isn't the only place that intruders might attempt to compromise or misuse your system. Consider for a moment, spam.

There are several techniques that spammers use to target their messages. We've talked about how they harvest email addresses from web pages, for example. Another, though, is in fact a type of dictionary attack.

"Spammers then just crank up their spam sending machine with a list - a dictionary - of common account names and start sending email ..."

Domain names (the part after the "@" in an email name) are public record. It's not hard at all to see what domain names are taken and in many cases, even verify that they have some kind of email associated with them.

Spammers then just crank up their spam sending machine with a list - a dictionary - of common account names and start sending email to all the addresses that result, whether or not those recipients actually exist. It actually doesn't matter that most might not, because a few will. And for those few, the spam will have made it through, and made the exercise worthwhile.

Let's look at an example - "" doesn't actually have email associated with it, but if it did, spammers might start sending spam to,,,,,,, and so on. They'll just run through thousands and thousands of possible email addresses in the hopes that one or two will work. And in the list above -- well, all things considered, it seems likely that "" might well work, were I to set up email on that domain. So out of the 7 attempts in that short list, 1 might actually have gotten through.

While that's still a dictionary attack, it's an attack on a different interface. Rather than attacking your system's login in an attempt to gain access, this is an attack against your email domain in an attempt to deliver spam. And the tools to deal with it are, naturally, quite different. The lock down that protects your login doesn't apply to email delivery. And the changes to minimize the impact on email attacks don't help against login attacks.

Web forms - web pages where you fill in information to login or perform some action, are subject to these attacks as well. That's why most will place a limit on the number of times you can fail, after which they lock you out for a while - this prevents the automated tools from using a brute force dictionary attack from gaining access to the account.

Article C2747 - August 7, 2006 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.