Definition
Dictionary Attack
A dictionary attack is a password recovery attack that tries passwords drawn from a precompiled list of likely candidates, called a dictionary.
Unlike a brute-force attack, it does not enumerate the entire search space; it exploits the tendency of users to choose predictable passwords.
Variants
Pure Dictionary Attack
Each entry in the dictionary is tested exactly as listed.
Rule-Based Dictionary Attack
Entries are first transformed by a set of rules — appending digits, substituting characters, changing case — before testing. This extends the effective dictionary with little extra storage.
Comparison
| Attack | Search Space | Time | Memory |
|---|---|---|---|
| Dictionary | size of dictionary | fast | low |
| Brute-force | entire key/password space | slow | low |
| Rainbow table | precomputed chains | very fast (online phase) | high |
Defence
Salting
A salt ensures that identical passwords yield distinct hashes, rendering precomputed dictionaries ineffective.
Key Stretching
Cascade hashing — deliberately slow hash functions such as PBKDF2, bcrypt, or Argon2 — reduces the rate at which an attacker can test candidates.