 - A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. A dictionary attack can also be used in an attempt to find the key necessary to decrypt an encrypted message or document.
Dictionary attacks work because many computer users and businesses insist on using ordinary words as passwords. Dictionary attacks are rarely successful against systems that employ multiple-word phrases, and unsuccessful against systems that employ random combinations of uppercase and lowercase letters mixed up with numerals. In those systems, the brute-force method of attack (in which every possible combination of characters and spaces is tried up to a certain maximum length) can sometimes be effective, although this approach can take a long time to produce results.
Vulnerability to password or decryption-key assaults can be reduced to near zero by limiting the number of attempts allowed within a given period of time, and by wisely choosing the password or key. For example, if only three attempts are allowed and then a period of 15 minutes must elapse before the next three attempts are allowed, and if the password or key is a long, meaningless jumble of letters and numerals, a system can be rendered immune to dictionary attacks and practically immune to brute-force attacks.
A form of dictionary attack is often used by spammers. A message is sent to every e-mail address consisting of a word in the dictionary, followed by the at symbol (@), followed by the name of a particular domain. Lists of given names (such as frank, george, judith, or donna) can produce amazing results. So can individual letters of the alphabet followed by surnames (such as csmith, jwilson, or pthomas). E-mail users can minimize their vulnerability to this type of spam by choosing usernames according to the same rules that apply to passwords and decryption keys -- long, meaningless sequences of letters interspersed with numerals.
 |
Learn more about Web Application Security |
| Web Application Attacks Learning Guide: This guide explains how Web application attacks occur, identifies Web application attacks, and provides Web application security tools and tactics to protect against them. |
| Information security book excerpts and reviews: Visit the Information Security Bookshelf for book reviews and free chapter downloads. |
| Quiz: Could you detect an application attack?: Test your application security awareness, review common application attacks and learn how to improve application layer logging to detect and protect against these attacks. |
| Web Application Attacks Learning Guide: This guide explains how Web application attacks occur, identifies Web application attacks, and provides Web application security tools and tactics to protect against them. |
| State-based attacks: Session management: This excerpt reviews session management techniques developers can use to protect against session hijacking and other Web application attacks. |
| Content Spoofing: This excerpt from "Preventing Web Attacks with Apache" explains how content spoofing attacks exploit vulnerabilities and how to use Apache to protect against them. |
| LAST UPDATED: |
16 Oct 2005
|
 |
Do you have something to add to this definition? Let us know.
Send your comments to techterms@whatis.com
|
|
More resources from around the web:
|
|
Show me everything on 
