Dictionary.com

When Dictionaries Attack: How Hackers Use Dictionaries to Guess Passwords

It seems like there’s always a new story on millions of passwords being hacked. Each attack feels personal, especially if you’re one of the many people that has one password across several sites, whether it’s Facebook or LinkedIn, e-mail or a bank account. And since one way hackers fish out passwords is by using a dictionary attack (a name that brings shame to the honorable profession of lexicography), we’re always on high alert here. What is a dictionary attack? How can a benign book of meanings be used to uncover passwords?

With a smart algorithm and a dictionary, hackers are finding it surprisingly easy to guess passwords. And we have no one to blame but ourselves. In a recent study at Cambridge University, computer scientist Joseph Bonnea analyzed 70 million passwords from Yahoo! users. (Don’t worry, he didn’t steal them. The passwords were separated from their usernames.) Bonnea used the passwords to test possible hacking attempts. He found that using the 1,000 most common words in the dictionary an algorithm could correctly guess the passwords of up to 10% of the users. Turns out that many of us choose passwords that are relatively easy to remember and based on common words, and hackers can guess your password using a database of words (usually a dictionary of some sort).

[How do those funny CAPTCHAs work? Find out here.]

So what should you do to protect your online accounts? Google recommends that you use an unusual string of letters. You could try an abbreviation of your favorite song lyric or your parents’ and siblings’ initials. Google uses the example of the famous line from Hamlet: To be or not to be that is the question. It can abbreviated as 2bon2btitq. It would be hard to find that string of letters anywhere else, which makes it almost impossible to hack into.

We aspire to reclaim the power of the dictionary for the protection of online safety. Here’s one answer to those hackers who sully the reputation of the dictionary: use really unusual words with rare letter combinations that are easier to remember than an incomprehensible string—and can have funny meanings. Here are a few of our favorite picks:
cacoethes
dactyl
litotes
quidnunc
zyzzyva

What do you think of using the dictionary as a hacking tool? Will you change your password to something more challenging?

93 Comments

  1. RedLeafRenegade -  October 20, 2015 - 7:02 am

    All my passwords are either Greek or Roman gods or the name of a random star from the NASA list.
    (And I mean the stars whose names are not actual names like the Sun or Sirius. I mean stars with names like 23 Cephi 34

    Reply
  2. stfu ppl. -  April 22, 2015 - 7:37 am

    for my passwords, i like to troll articles about generating good passwords and read everybody’s comments about PRECISELY how they pick their passwords and specifically which sites they use them on…

    hehe

    /kidding

    OR AM I

    Reply
  3. Audrey Mai -  April 14, 2014 - 5:48 pm

    my password isn’t a word yet it is simple. It’s only 3 letters XD.

    Reply
  4. wolf tamer and tree puncher -  November 21, 2013 - 8:56 pm

    Hm. My username & password for Poptropica are my pets’ names + a combination of numbers. My password for Webkinz (yes, I still play that) is all my pets’ nicknames (they had nicknames) in one word. My email password has letters, numbers, & symbols. And a capital letter. Nobody could ever guess that. But I’m not on LinkedIn, so maybe I don’t have to worry about this.

    Has anyone noticed that when someone hacks your account (whether it’s LinkedIn, Facebook, whatever), it’s usually a friend?

    Reply
  5. SMS Jokes -  September 3, 2013 - 7:09 am

    my passwords will be difficult for anyone to guess. i read literature in many languages – and know lines of poetry from more than five. i take ONE of the many classic lines in any of those languages (with my own transliteration method for certain letters, and transpose numbers for some characters which is in my head) and use it as a password. being a touch typist helps too for typing more than 15 characters.

    Reply
  6. shayari -  July 26, 2013 - 6:43 am

    I change my passwords all the time. I didn’t know that Hackers used dictionaries for that, but you learn something new everyday. I just wish I knew what that one guy changed my password to to my old facebook account. Maybe I could hack into my account. Lol

    Reply
  7. sushanta -  June 15, 2013 - 12:49 am

    ghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

    Reply
  8. sushanta -  June 15, 2013 - 12:47 am

    hhhaaaa

    Reply
  9. Raj4U -  April 14, 2013 - 10:34 am

    Here all are may giving great suggetions to the hackers

    Reply
  10. Anon -  April 12, 2013 - 2:18 pm

    I use chemical formulas, like fe2o3h2o2 [iron oxide and hydrogen peroxide], though that example above I don’t use in any of my account.

    Reply
  11. Trees are Cute -  April 11, 2013 - 2:46 am

    Fluttershy,

    The Stare.

    Nuff said.

    Reply
  12. Hunter -  April 9, 2013 - 6:43 pm

    Or Even better: m0u$3

    (mouse)

    If you like my ideas please say so!

    Reply
  13. Hunter -  April 9, 2013 - 6:28 pm

    Like $h@doW

    (Shadow)

    Reply
  14. Shayes -  November 6, 2012 - 9:52 am

    I change my passwords all the time. I didn’t know that Hackers used dictionaries for that, but you learn something new everyday. I just wish I knew what that one guy changed my password to to my old facebook account. Maybe I could hack into my account. Lol ;)

    Reply
  15. The Freak -  September 4, 2012 - 4:57 pm

    i am so glad i dont live there

    Reply
  16. Olivia -  August 12, 2012 - 5:43 pm

    nice. ive always ben paranoid about forgetting passwords, so i use a base pasword and modify it per site

    EXAMPLE (nt real): base password– ilovenoodles1234

    if the name of the site is short, say, 6 letters or below, i’l replace the numbers

    google– ilovenoodlesGoogle

    if its longer replace noodles (which are awesome by the way)
    dictionary.com– ilovedictionary1234

    of course my actual method is a bit different but u get the idea ;D

    btw always use capitols and numbers! symbols too if ur site lets u

    Reply
  17. Dan Rossiter | Failed Attempt to Hack My Site -  July 25, 2012 - 5:48 pm

    [...] step and then just guess likely passwords and hope to get lucky. Things like rainbow tables or dictionary attacks would be useful at this step.After the hacker finally gained access to my site, assuming he [...]

    Reply
  18. atul patel -  July 6, 2012 - 6:24 am

    This article is very interesting and informative.

    Reply
  19. Zaria Del Manos -  July 4, 2012 - 12:18 am

    My passwords are usually Chinese pinyin with the letters jumbled up and numbers added in instead of letter, for example I would use 3 instead of E.

    Reply
  20. Sarah -  June 20, 2012 - 1:32 pm

    As an actress, I like to use the names of my more obscure charecters as a password.

    Reply
  21. Katie -  June 17, 2012 - 7:42 pm

    Not literally LOL. My password is not:tricky. Funny if it was. My friend just thought of that. LOL :)

    Reply
  22. Katie -  June 17, 2012 - 7:40 pm

    OMG scary!!! Thankgod my password tricky. :)

    Reply
  23. BS -  June 15, 2012 - 2:17 am

    To everyone who seems hell-bent on proving that their passwords are secure because “it’s in a different language”, or it “doesn’t use dictionary words”… I only have 2 words for you: Rainbow Tables.

    The following passwords were cracked in less than an hour:

    QWE123!@#qweqwe
    m3adowsP@$$w0rd
    Gänseblümchen
    654321abc!@#$%^
    111708!QAZ2wsx^C

    Note the middle password… one would think it’s secure, no?

    Passwords are insecure. End-of! If they’re using only single factor authentication, there is no guarantee that a password won’t be cracked.

    http://pausecorner.com/2012/06/06/linkedin-password-issues/ explains it rather well.

    Reply
  24. Nihal -  June 14, 2012 - 10:38 pm

    @Emma Taylor McJoan – I can guess your passwords, I can just use Rainbow Tables or Brute Force Attack on them and in a matter of time, your complex passwords will be decrypted, hahahahahaha!!!!!

    Reply
  25. John -  June 12, 2012 - 1:00 pm

    I guess “PASSWORD” won’t do, huh?

    Reply
  26. Zach -  June 12, 2012 - 7:15 am

    Quick! Somebody hide the dictionary!

    Reply
  27. Mandla Nkosi -  June 12, 2012 - 5:23 am

    damn I cant believe this because my password consist of the most common words in english,it is indeed difficult for one to figure it out but it would be very simple for a hacker to guees it.Must I change it?

    Reply
  28. traveler -  June 12, 2012 - 3:16 am

    my passwords will be difficult for anyone to guess. i read literature in many languages – and know lines of poetry from more than five. i take ONE of the many classic lines in any of those languages (with my own transliteration method for certain letters, and transpose numbers for some characters which is in my head) and use it as a password. being a touch typist helps too for typing more than 15 characters.

    or translate a famous english line into one of the languages (even if they sound silly).

    Reply
  29. Joshua Woo -  June 12, 2012 - 1:16 am

    Hmm Joes right

    Reply
  30. sdsd -  June 12, 2012 - 12:58 am

    @ Sad

    Mine too, and embarrassing. Hard to believe he works in IT.

    Reply
  31. Tayo -  June 11, 2012 - 11:35 pm

    That’s why I use a word that’s not even English. They can search for it in an English dictionary all they want; they ain’t findin’ it.

    Reply
  32. sexy -  June 11, 2012 - 10:52 pm

    i has random numbers followed by my name.

    Reply
  33. joe -  June 11, 2012 - 4:57 pm

    what would happen I a hacker looked here and noticed that list of words and thought it would be ironic that he would create a program to search for people who took that security advice because it would reverse the usefulness of that small list of passwords and make it into a liability. Ingenious hacker help Dictionary.com

    Reply
  34. Kassi -  June 11, 2012 - 4:56 pm

    Almost all of my friends are yahoo users, and i am wondering if they used their passwords in this study

    Reply
  35. Commenter_99A -  June 11, 2012 - 9:31 am

    Something’s fishy in Denmark. Either LinkedIn is leaving the Login ID available to all to see, and allowing umpteen attempts without locking-out the account – or something else is in play here. A better plan that that outlined is to have a few easily-remembered passwords, categorize each from low-security to high-security. If the site is unlikely to cause you financial grief, and does not have your SS#, name, address, etc., and the password-hack strength is low; use your low-security password. If the site has a high degree of hack-resistance (account lockout after three failed attempts), then use the high-security password. If the site is keeping financial or personal identification information and does not fall into category #2, then don’t use it!

    Reply
  36. jewbaca -  June 11, 2012 - 9:12 am

    no one cares about your dads passwords

    Reply
  37. GlitchHero9724 -  June 11, 2012 - 8:40 am

    It’s indeed fairly easy to perform a dictionary attack if you have the right tools. And I say this, and I’m just 13 years old. But indeed, with dictionary attacks you cannot get a password that isn’t in the dictionary. So it is pretty much useless…

    Actually I’m surprised that the hackers used the dictionary attack… I mean, they would’ve had more success with other methods I won’t mention because that would fuel up some hackers that could be reading this…

    The problem is that people who like to terrorize passwords from innocent people exist. They exist. And they do this just for fun.

    Reply
  38. DSSR -  June 11, 2012 - 7:50 am

    I suggest not using any of the above dictionary words for your passwords. Since, the information is publicly disclosed and hackers could ascertain these words from the site. I suggest a combination of two words from different languages, ensure that the words haven’t been adopted into the other language. For added security, numerics would be advised, along with at least one special character.

    Reply
  39. Nidnat Mystedin -  June 11, 2012 - 5:49 am

    it is our job to protect our accounts! their, hackers, is to try and find out what ours is. so make it as elusive as snow-leopard and as gobbledygook as a croaking sound of frogs. i mean make it stronger than it was before. don’t share you password like your tooth-brush…

    obviously i will have to change it much better!!!

    Reply
  40. jin yuan -  June 11, 2012 - 5:32 am

    hackers have good brains

    Reply
  41. Danny -  June 11, 2012 - 1:31 am

    i use to have a password that was really long that i forgot and can’t even use some of my emails

    Reply
  42. Mathholic -  June 11, 2012 - 1:30 am

    I wonder hong long it would take someone to guess my old FB password…

    “I<3heart?"

    Lol so easy 2 remember yet not easy to guess

    Reply
  43. Kale -  June 11, 2012 - 1:26 am

    This isn’t just for Websites to. This goes for routers, safes and other things.

    And if you think you have a 5 letter password with all randomized letters, and you still think your safe. Well my friend, there is something called Brute Force Attack.

    Reply
  44. P.Thompson -  June 11, 2012 - 1:20 am

    I’m afraid the author of this article does not understand what is meant by a dictionary attack. The advice at the end of the article — to use rare words from the dictionary — is ignorant at best, and dangerous for anyone who follows that advice.

    “Use really unusual words with rare letter combinations that are easier to remember than an incomprehensible string and can have funny meanings”

    Even the crappiest personal computer nowadays is basically a billion times faster than you are. It can remember a trillion times what you can. I have been playing Words With Friends on Facebook lately, it’s a variant of Scrabble. To check the validity of words for the game, they recommend a freely available word list of 173,000 words. I copied this list to my computer so I can verify words and spellings when I play the game. I use a simple search program which looks up words in that list in a fraction of an eye blink.

    I checked all 5 of those words you recommend — they are all on the list. Simple word game… freely available list… use just those words for your password, and you’re as screwed as if you used the password “MOM”.

    I won’t go into how a dictionary attack actually works, but seriously, a decent dictionary attack will crack “quidnunc” as fast as it will “mom”. And the stupid advice from some experts to mix upper and lower case only increases the difficulty of cracking simplistic passwords by a factor of 10,000 or so. So if we maximized that word list with all upper/lower variants of all words, that list goes from 173 thousand words to approximately 1.76 billion words. Big deal. My old clunky computer laughs at your clumsy attempts to stymie it. All those variations of that wordlist — for example, “mom” along with Mom, mOm, moM, MOm, MoM, mOM, MOM — would fit on a modern thumbdrive with room to spare.

    The absurd advice from other so-called experts is often useless and pointless. “Mix letters and numbers and blanks and punctuation to create a safe password,” they’ll say. Which is blithely ignorant of the fact that most password systems won’t accept such a wide range of input. If you’re lucky, they let you mix letters and numbers — no blanks, no punctuation.

    Some researchers are working on this conundrum, making password systems that are usable yet secure. In the meantime, enjoy these little cartoons:

    http://xkcd.com/538/

    http://xkcd.com/936/

    Reply
  45. Engineer Shareef -  June 11, 2012 - 12:48 am

    My pass word is **** for all my accounts, but no one could hack it.

    Reply
  46. Ness -  June 10, 2012 - 8:21 pm

    CookieMonsterDoesBalletAtMadameBubbleStudio
    That’s a favourite of mine.

    My friend did
    BabyYouLightUpMyWorldLikeNobodyElse
    One direction e_e

    Reply
  47. Ness -  June 10, 2012 - 8:20 pm

    I don’t use English passwords either. Mine are romanized Korean, Korean idol names & their Hanja names. As well as romanized Mandarin / Cantonese, Chinese idol names etc. No one would have guessed that ^^

    My friend makes up creative passwords, she likes Shakespeare and that ancient whatnot so once she did:
    2bon2btitq

    To be or not to be, that is the question! (What, to be a hacker or not to be? e_e)

    Also sometimes she does friends’ names, or pets’ names, or the suburb she lives in, and strings in random things eg.
    s!y@d#n$e%y^ = Sydney with random symbols in between each letter.

    She also does this:
    RhYtHmIcEnCyClOpAeDiAbRaInSfOrEvEr & PtErOdAcTyLsDeStRoYeDtHeRaInBoWcAnDyLaNd
    ( Rhythmic Encyclopaedia Brains Forever & Pterodactyls destroyed the rainbow candyland )

    Random words that she puts in a upper-lower-case shift.

    Reply
  48. yayRayShell -  June 10, 2012 - 7:47 pm

    Yay practice spelling in the run.

    Reply
  49. Harsh -  June 10, 2012 - 7:00 pm

    alphanumeric + non-alphanumeric characters, using this can make so many complex passwords

    Reply
  50. Dan -  June 10, 2012 - 5:41 pm

    @ j j rouseau –

    if they’re hacking into the accounts of English-speaking individuals – the target audience of this article – they are either English-oriented or not using the method described in the article. meow.

    Reply
  51. KroK -  June 10, 2012 - 5:02 pm

    I have always been a fan of the “infinity code”, as I once heard it called. You take a base language, create an algorithm to form new words from the existing language, then use one of the new words as a password. Then you only need to remember the root word. Like the one I use, “dream”. Although many websites, annoyingly, won’t allow you to use such a password, I also like this option: http://xkcd.com/936/

    Reply
  52. Andrew -  June 10, 2012 - 3:54 pm

    @Sad…also, if your dad’s passwords are “so” and “pathetic”, they really ARE pathetic…LMAO!

    OK, OK…i’ll stop…LOL

    Reply
  53. Andrew -  June 10, 2012 - 3:51 pm

    @Sad…why did you just give away your dad’s password(s)?
    Are all of his account passwords “so pathetic…”, and does that include the space between the o – p, and the three periods at the end?

    lol…j/k

    Reply
  54. Mackenzie -  June 10, 2012 - 1:41 pm

    My passwords are all inside jokes…nobody would ever get them….

    considering that hackledgrandpa2 is one of them……i didnt give away anything really important….this is just for school

    hopefully you dont know which school i go to…LOL

    Reply
  55. A person -  June 10, 2012 - 1:25 pm

    wow… but I can’t remember those words. :/

    Reply
  56. Abigail -  June 10, 2012 - 1:10 pm

    Or Tohuw2bt, the golden rule! Don’t use that one though, because I just said it.

    Reply
  57. Justin -  June 10, 2012 - 1:00 pm

    I suggest using the strong password generator – search it on google – and setting it to at least 10 characters. Of course the longer the password, the stronger it becomes.

    Reply
  58. someone -  June 10, 2012 - 11:49 am

    What’s even more pathetic is your passwords being the word ‘password.’

    Reply
  59. Jodie -  June 10, 2012 - 11:30 am

    I’m the same as many on here. I use non-English words, I use random capitalization, and 2-3 numbers. Also, I use a somewhat obscure language.

    Reply
  60. JayCkat -  June 10, 2012 - 8:18 am

    Simple, I use a password composed of simple to remember words from several languages.

    I use a password composed of words from Tolkien’s Elvish, Klingon, English and Malay.

    Take that dictionary attack!

    Reply
  61. Thatwon'twork -  June 10, 2012 - 5:40 am

    My passwords don’t have real words in them!

    Reply
  62. hyun goo -  June 10, 2012 - 3:10 am

    Since the dictionary.com favorite password are open, we shouldn’t use them?
    cacoethes
    dactyl
    litotes
    quidnunc
    zyzzyva

    Reply
  63. Tim Oey -  June 9, 2012 - 11:56 pm

    The best passwords are long (16+ character) strings that are different for every account you use. Handling such passwords requires a password safe (unless you have an eidetic memory). LastPass is probably the best one around but a number of others are pretty good. Google “Password manager” for options.

    Reply
  64. Rustgold -  June 9, 2012 - 7:26 pm

    Even better are those government answer question passwords (ie “What is your mother’s maiden name”). Seriously……
    Btw : I can tell you that it’s ‘Long’, for I didn’t give a ‘proper’ answer when they first asked it.

    Reply
  65. Emma Taylor McJoan -  June 9, 2012 - 4:45 pm

    You can never guess my passwords.
    HAHAHAHAHAHAHA
    It’s really easy to remember your passwords if you have really good memory.
    Other than letters and numbers, you can capitalize some numbers to make it more difficult to guess.
    That’s my suggestion to you.
    But you still have to remember it.
    Because if you don’t…
    WHAT A BUMMER!
    Ex: h82Jod9pS8h0
    Longer and more complicated ones are GREAT!

    Reply
  66. sherryyu -  June 9, 2012 - 2:09 pm

    i basically use an non-english word password for all my accouts

    Reply
  67. Kyle Michael Becker -  June 9, 2012 - 12:33 pm

    I wrote a PHP script to generate a list of EVERY possible password, given a set of legal characters. including lowercase letters, uppercase letters, numbers, and the commonly used symbols (accessible through SHIFT+key)
    I omitted the characters available through ALT+### key sequences, since they are often not used for password creation, though they are indeed members of the acsii character set. This script made a separate list of all possible sequences, of given length. Well, every website has slightly differing parameters for password creation. some requiring at least one character, one number, some requiring a minimal length, some requiring a variance of casing, etc… But this script covered all those bases extensively. Only trouble is the server had certain restrictions about memory allocation, and the script would crash, knee deep in producing the list of all possible passwords, with a length of 4. at any rate, I say of this to say that we should all be reminded that even if a hacker is successful in their efforts to ‘crack’ in to some system; that it is merely a breach of the binary realm. They cannot steal your soul or anything eternally valuable anyhow. My advice is to use words from foreign languages, spell words backwards, include special characters like “!” when possible, or bastardize the spelling of words in order to prevent your password from being too generic, and thusly vulnerable. Also, be mindful that certain entities and organizations have the capability and authority to access your computer and its contents at their whim, though it is unlikely that you would have anything of their interest anyhow.

    Reply
  68. Sonya -  June 9, 2012 - 11:36 am

    Most of my passwords are actually phrases mixed with letter, number and symbols to aid in the complexity.

    Reply
  69. 2nd -  June 9, 2012 - 11:09 am

    NO!!!!!! Dictionaries are not for hacking!

    Reply
  70. Tal of Israel -  June 9, 2012 - 8:58 am

    @JJ Rousseau
    Most people who make passwords use English.

    Reply
  71. Cyberquill -  June 9, 2012 - 8:04 am

    I prefer the traditional GF method of collecting information: point a gun at someone’s head, hand them a piece of paper and a pen, and inform them that on the count of three, either their brain or their password will be on that paper.

    Reply
  72. Morchena -  June 9, 2012 - 7:32 am

    Well don’t join linked in.

    Reply
  73. Sad -  June 9, 2012 - 6:58 am

    my dad’s passwords are so pathetic…

    Reply
  74. J J Rousseau -  June 9, 2012 - 12:29 am

    Oui, assume all hackers are English oriented. Woof.

    Reply
  75. Kelby -  June 8, 2012 - 10:45 pm

    When I clicked on the first and second and fourth words the article suggests at the bottom, cacoethes and dactyl and quidnunc, dictionary.com said there were no dictionary results. Did anybody else find this?
    When I clicked on quidnunc, the webpage said they were experiencing technical difficulties which is more reasonable since I’m pretty sure I’ve looked up that word before.

    Reply
  76. Kamikazen -  June 8, 2012 - 8:49 pm

    Heck, almost all of my passwords aren’t even in English. They are either romanized Japanese or romanized Japanese-English fusions of some sort with varying capitalizations, numbers, and symbols.

    Reply
  77. Maddy M. -  June 8, 2012 - 7:47 pm

    interesting

    Reply
  78. Cyraus -  June 8, 2012 - 6:36 pm

    I use one password for all accounts, but it is nearly impossible to guess since it is a non-English word. That’s all the information I’m comfortable with disclosing. ^_^

    Reply
  79. Lauren -  June 8, 2012 - 5:48 pm

    my password was easily hacked by a friend who’s only in High School and it was “Aeo9bjxq”…

    Reply
  80. Emma Taylor McJoan -  June 8, 2012 - 5:24 pm

    Go Dictionario.comio!
    Ya!

    Reply
  81. DICTIONARYATTACK | BLOGCHI@mayopia.com -  June 8, 2012 - 4:40 pm

    [...] does this not take us aback: — The ‘Dictionary Attack’ — We’re Worthless, Broke and Boring, –  Linked yet tired of underscoring  [...]

    Reply
  82. Emma Taylor McJoan -  June 8, 2012 - 3:50 pm

    Oh my gosh!

    Reply
  83. bleue -  June 8, 2012 - 3:06 pm

    it’s definitely advisable to use an alphanumeric password. highly recommended will be a name that you find easy to remember: a relative’s, friend’s, pet’s, or your loved ones’. And then mix it with your favorite numbers. Five to eight numbers mixed in with the names mentioned would be a strong password.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Related articles

Back to Top