When Dictionaries Attack: How Hackers Use Dictionaries to Guess Passwords

It seems like there’s always a new story on millions of passwords being hacked. Each attack feels personal, especially if you’re one of the many people that has one password across several sites, whether it’s Facebook or LinkedIn, e-mail or a bank account. And since one way hackers fish out passwords is by using a dictionary attack (a name that brings shame to the honorable profession of lexicography), we’re always on high alert here. What is a dictionary attack? How can a benign book of meanings be used to uncover passwords?

With a smart algorithm and a dictionary, hackers are finding it surprisingly easy to guess passwords. And we have no one to blame but ourselves. In a recent study at Cambridge University, computer scientist Joseph Bonnea analyzed 70 million passwords from Yahoo! users. (Don’t worry, he didn’t steal them. The passwords were separated from their usernames.) Bonnea used the passwords to test possible hacking attempts. He found that using the 1,000 most common words in the dictionary an algorithm could correctly guess the passwords of up to 10% of the users. Turns out that many of us choose passwords that are relatively easy to remember and based on common words, and hackers can guess your password using a database of words (usually a dictionary of some sort).

[How do those funny CAPTCHAs work? Find out here.]

So what should you do to protect your online accounts? Google recommends that you use an unusual string of letters. You could try an abbreviation of your favorite song lyric or your parents’ and siblings’ initials. Google uses the example of the famous line from Hamlet: To be or not to be that is the question. It can abbreviated as 2bon2btitq. It would be hard to find that string of letters anywhere else, which makes it almost impossible to hack into.

We aspire to reclaim the power of the dictionary for the protection of online safety. Here’s one answer to those hackers who sully the reputation of the dictionary: use really unusual words with rare letter combinations that are easier to remember than an incomprehensible string—and can have funny meanings. Here are a few of our favorite picks:

What do you think of using the dictionary as a hacking tool? Will you change your password to something more challenging?


  1. RedLeafRenegade -  October 20, 2015 - 7:02 am

    All my passwords are either Greek or Roman gods or the name of a random star from the NASA list.
    (And I mean the stars whose names are not actual names like the Sun or Sirius. I mean stars with names like 23 Cephi 34

  2. stfu ppl. -  April 22, 2015 - 7:37 am

    for my passwords, i like to troll articles about generating good passwords and read everybody’s comments about PRECISELY how they pick their passwords and specifically which sites they use them on…



    OR AM I

  3. Audrey Mai -  April 14, 2014 - 5:48 pm

    my password isn’t a word yet it is simple. It’s only 3 letters XD.

  4. wolf tamer and tree puncher -  November 21, 2013 - 8:56 pm

    Hm. My username & password for Poptropica are my pets’ names + a combination of numbers. My password for Webkinz (yes, I still play that) is all my pets’ nicknames (they had nicknames) in one word. My email password has letters, numbers, & symbols. And a capital letter. Nobody could ever guess that. But I’m not on LinkedIn, so maybe I don’t have to worry about this.

    Has anyone noticed that when someone hacks your account (whether it’s LinkedIn, Facebook, whatever), it’s usually a friend?

  5. SMS Jokes -  September 3, 2013 - 7:09 am

    my passwords will be difficult for anyone to guess. i read literature in many languages – and know lines of poetry from more than five. i take ONE of the many classic lines in any of those languages (with my own transliteration method for certain letters, and transpose numbers for some characters which is in my head) and use it as a password. being a touch typist helps too for typing more than 15 characters.

  6. shayari -  July 26, 2013 - 6:43 am

    I change my passwords all the time. I didn’t know that Hackers used dictionaries for that, but you learn something new everyday. I just wish I knew what that one guy changed my password to to my old facebook account. Maybe I could hack into my account. Lol

  7. sushanta -  June 15, 2013 - 12:49 am


  8. sushanta -  June 15, 2013 - 12:47 am


  9. Raj4U -  April 14, 2013 - 10:34 am

    Here all are may giving great suggetions to the hackers

  10. Anon -  April 12, 2013 - 2:18 pm

    I use chemical formulas, like fe2o3h2o2 [iron oxide and hydrogen peroxide], though that example above I don’t use in any of my account.

  11. Trees are Cute -  April 11, 2013 - 2:46 am


    The Stare.

    Nuff said.

  12. Hunter -  April 9, 2013 - 6:43 pm

    Or Even better: m0u$3


    If you like my ideas please say so!

  13. Hunter -  April 9, 2013 - 6:28 pm

    Like $h@doW


  14. Shayes -  November 6, 2012 - 9:52 am

    I change my passwords all the time. I didn’t know that Hackers used dictionaries for that, but you learn something new everyday. I just wish I knew what that one guy changed my password to to my old facebook account. Maybe I could hack into my account. Lol ;)

  15. The Freak -  September 4, 2012 - 4:57 pm

    i am so glad i dont live there

  16. Olivia -  August 12, 2012 - 5:43 pm

    nice. ive always ben paranoid about forgetting passwords, so i use a base pasword and modify it per site

    EXAMPLE (nt real): base password– ilovenoodles1234

    if the name of the site is short, say, 6 letters or below, i’l replace the numbers

    google– ilovenoodlesGoogle

    if its longer replace noodles (which are awesome by the way)
    dictionary.com– ilovedictionary1234

    of course my actual method is a bit different but u get the idea ;D

    btw always use capitols and numbers! symbols too if ur site lets u

  17. Dan Rossiter | Failed Attempt to Hack My Site -  July 25, 2012 - 5:48 pm

    [...] step and then just guess likely passwords and hope to get lucky. Things like rainbow tables or dictionary attacks would be useful at this step.After the hacker finally gained access to my site, assuming he [...]

  18. atul patel -  July 6, 2012 - 6:24 am

    This article is very interesting and informative.

  19. Zaria Del Manos -  July 4, 2012 - 12:18 am

    My passwords are usually Chinese pinyin with the letters jumbled up and numbers added in instead of letter, for example I would use 3 instead of E.

  20. Sarah -  June 20, 2012 - 1:32 pm

    As an actress, I like to use the names of my more obscure charecters as a password.

  21. Katie -  June 17, 2012 - 7:42 pm

    Not literally LOL. My password is not:tricky. Funny if it was. My friend just thought of that. LOL :)

  22. Katie -  June 17, 2012 - 7:40 pm

    OMG scary!!! Thankgod my password tricky. :)

  23. BS -  June 15, 2012 - 2:17 am

    To everyone who seems hell-bent on proving that their passwords are secure because “it’s in a different language”, or it “doesn’t use dictionary words”… I only have 2 words for you: Rainbow Tables.

    The following passwords were cracked in less than an hour:


    Note the middle password… one would think it’s secure, no?

    Passwords are insecure. End-of! If they’re using only single factor authentication, there is no guarantee that a password won’t be cracked.

    http://pausecorner.com/2012/06/06/linkedin-password-issues/ explains it rather well.

  24. Nihal -  June 14, 2012 - 10:38 pm

    @Emma Taylor McJoan – I can guess your passwords, I can just use Rainbow Tables or Brute Force Attack on them and in a matter of time, your complex passwords will be decrypted, hahahahahaha!!!!!

  25. John -  June 12, 2012 - 1:00 pm

    I guess “PASSWORD” won’t do, huh?

  26. Zach -  June 12, 2012 - 7:15 am

    Quick! Somebody hide the dictionary!

  27. Mandla Nkosi -  June 12, 2012 - 5:23 am

    damn I cant believe this because my password consist of the most common words in english,it is indeed difficult for one to figure it out but it would be very simple for a hacker to guees it.Must I change it?

  28. traveler -  June 12, 2012 - 3:16 am

    my passwords will be difficult for anyone to guess. i read literature in many languages – and know lines of poetry from more than five. i take ONE of the many classic lines in any of those languages (with my own transliteration method for certain letters, and transpose numbers for some characters which is in my head) and use it as a password. being a touch typist helps too for typing more than 15 characters.

    or translate a famous english line into one of the languages (even if they sound silly).

  29. Joshua Woo -  June 12, 2012 - 1:16 am

    Hmm Joes right

  30. sdsd -  June 12, 2012 - 12:58 am

    @ Sad

    Mine too, and embarrassing. Hard to believe he works in IT.

  31. Tayo -  June 11, 2012 - 11:35 pm

    That’s why I use a word that’s not even English. They can search for it in an English dictionary all they want; they ain’t findin’ it.

  32. sexy -  June 11, 2012 - 10:52 pm

    i has random numbers followed by my name.

  33. joe -  June 11, 2012 - 4:57 pm

    what would happen I a hacker looked here and noticed that list of words and thought it would be ironic that he would create a program to search for people who took that security advice because it would reverse the usefulness of that small list of passwords and make it into a liability. Ingenious hacker help Dictionary.com

  34. Kassi -  June 11, 2012 - 4:56 pm

    Almost all of my friends are yahoo users, and i am wondering if they used their passwords in this study

  35. Commenter_99A -  June 11, 2012 - 9:31 am

    Something’s fishy in Denmark. Either LinkedIn is leaving the Login ID available to all to see, and allowing umpteen attempts without locking-out the account – or something else is in play here. A better plan that that outlined is to have a few easily-remembered passwords, categorize each from low-security to high-security. If the site is unlikely to cause you financial grief, and does not have your SS#, name, address, etc., and the password-hack strength is low; use your low-security password. If the site has a high degree of hack-resistance (account lockout after three failed attempts), then use the high-security password. If the site is keeping financial or personal identification information and does not fall into category #2, then don’t use it!

  36. jewbaca -  June 11, 2012 - 9:12 am

    no one cares about your dads passwords

  37. GlitchHero9724 -  June 11, 2012 - 8:40 am

    It’s indeed fairly easy to perform a dictionary attack if you have the right tools. And I say this, and I’m just 13 years old. But indeed, with dictionary attacks you cannot get a password that isn’t in the dictionary. So it is pretty much useless…

    Actually I’m surprised that the hackers used the dictionary attack… I mean, they would’ve had more success with other methods I won’t mention because that would fuel up some hackers that could be reading this…

    The problem is that people who like to terrorize passwords from innocent people exist. They exist. And they do this just for fun.

  38. DSSR -  June 11, 2012 - 7:50 am

    I suggest not using any of the above dictionary words for your passwords. Since, the information is publicly disclosed and hackers could ascertain these words from the site. I suggest a combination of two words from different languages, ensure that the words haven’t been adopted into the other language. For added security, numerics would be advised, along with at least one special character.

  39. Nidnat Mystedin -  June 11, 2012 - 5:49 am

    it is our job to protect our accounts! their, hackers, is to try and find out what ours is. so make it as elusive as snow-leopard and as gobbledygook as a croaking sound of frogs. i mean make it stronger than it was before. don’t share you password like your tooth-brush…

    obviously i will have to change it much better!!!

  40. jin yuan -  June 11, 2012 - 5:32 am

    hackers have good brains

  41. Danny -  June 11, 2012 - 1:31 am

    i use to have a password that was really long that i forgot and can’t even use some of my emails

  42. Mathholic -  June 11, 2012 - 1:30 am

    I wonder hong long it would take someone to guess my old FB password…


    Lol so easy 2 remember yet not easy to guess

  43. Kale -  June 11, 2012 - 1:26 am

    This isn’t just for Websites to. This goes for routers, safes and other things.

    And if you think you have a 5 letter password with all randomized letters, and you still think your safe. Well my friend, there is something called Brute Force Attack.

  44. P.Thompson -  June 11, 2012 - 1:20 am

    I’m afraid the author of this article does not understand what is meant by a dictionary attack. The advice at the end of the article — to use rare words from the dictionary — is ignorant at best, and dangerous for anyone who follows that advice.

    “Use really unusual words with rare letter combinations that are easier to remember than an incomprehensible string and can have funny meanings”

    Even the crappiest personal computer nowadays is basically a billion times faster than you are. It can remember a trillion times what you can. I have been playing Words With Friends on Facebook lately, it’s a variant of Scrabble. To check the validity of words for the game, they recommend a freely available word list of 173,000 words. I copied this list to my computer so I can verify words and spellings when I play the game. I use a simple search program which looks up words in that list in a fraction of an eye blink.

    I checked all 5 of those words you recommend — they are all on the list. Simple word game… freely available list… use just those words for your password, and you’re as screwed as if you used the password “MOM”.

    I won’t go into how a dictionary attack actually works, but seriously, a decent dictionary attack will crack “quidnunc” as fast as it will “mom”. And the stupid advice from some experts to mix upper and lower case only increases the difficulty of cracking simplistic passwords by a factor of 10,000 or so. So if we maximized that word list with all upper/lower variants of all words, that list goes from 173 thousand words to approximately 1.76 billion words. Big deal. My old clunky computer laughs at your clumsy attempts to stymie it. All those variations of that wordlist — for example, “mom” along with Mom, mOm, moM, MOm, MoM, mOM, MOM — would fit on a modern thumbdrive with room to spare.

    The absurd advice from other so-called experts is often useless and pointless. “Mix letters and numbers and blanks and punctuation to create a safe password,” they’ll say. Which is blithely ignorant of the fact that most password systems won’t accept such a wide range of input. If you’re lucky, they let you mix letters and numbers — no blanks, no punctuation.

    Some researchers are working on this conundrum, making password systems that are usable yet secure. In the meantime, enjoy these little cartoons:



  45. Engineer Shareef -  June 11, 2012 - 12:48 am

    My pass word is **** for all my accounts, but no one could hack it.

  46. Ness -  June 10, 2012 - 8:21 pm

    That’s a favourite of mine.

    My friend did
    One direction e_e

  47. Ness -  June 10, 2012 - 8:20 pm

    I don’t use English passwords either. Mine are romanized Korean, Korean idol names & their Hanja names. As well as romanized Mandarin / Cantonese, Chinese idol names etc. No one would have guessed that ^^

    My friend makes up creative passwords, she likes Shakespeare and that ancient whatnot so once she did:

    To be or not to be, that is the question! (What, to be a hacker or not to be? e_e)

    Also sometimes she does friends’ names, or pets’ names, or the suburb she lives in, and strings in random things eg.
    s!y@d#n$e%y^ = Sydney with random symbols in between each letter.

    She also does this:
    RhYtHmIcEnCyClOpAeDiAbRaInSfOrEvEr & PtErOdAcTyLsDeStRoYeDtHeRaInBoWcAnDyLaNd
    ( Rhythmic Encyclopaedia Brains Forever & Pterodactyls destroyed the rainbow candyland )

    Random words that she puts in a upper-lower-case shift.

  48. yayRayShell -  June 10, 2012 - 7:47 pm

    Yay practice spelling in the run.

  49. Harsh -  June 10, 2012 - 7:00 pm

    alphanumeric + non-alphanumeric characters, using this can make so many complex passwords

  50. Dan -  June 10, 2012 - 5:41 pm

    @ j j rouseau –

    if they’re hacking into the accounts of English-speaking individuals – the target audience of this article – they are either English-oriented or not using the method described in the article. meow.

  51. KroK -  June 10, 2012 - 5:02 pm

    I have always been a fan of the “infinity code”, as I once heard it called. You take a base language, create an algorithm to form new words from the existing language, then use one of the new words as a password. Then you only need to remember the root word. Like the one I use, “dream”. Although many websites, annoyingly, won’t allow you to use such a password, I also like this option: http://xkcd.com/936/

  52. Andrew -  June 10, 2012 - 3:54 pm

    @Sad…also, if your dad’s passwords are “so” and “pathetic”, they really ARE pathetic…LMAO!

    OK, OK…i’ll stop…LOL

  53. Andrew -  June 10, 2012 - 3:51 pm

    @Sad…why did you just give away your dad’s password(s)?
    Are all of his account passwords “so pathetic…”, and does that include the space between the o – p, and the three periods at the end?


  54. Mackenzie -  June 10, 2012 - 1:41 pm

    My passwords are all inside jokes…nobody would ever get them….

    considering that hackledgrandpa2 is one of them……i didnt give away anything really important….this is just for school

    hopefully you dont know which school i go to…LOL

  55. A person -  June 10, 2012 - 1:25 pm

    wow… but I can’t remember those words. :/

  56. Abigail -  June 10, 2012 - 1:10 pm

    Or Tohuw2bt, the golden rule! Don’t use that one though, because I just said it.

  57. Justin -  June 10, 2012 - 1:00 pm

    I suggest using the strong password generator – search it on google – and setting it to at least 10 characters. Of course the longer the password, the stronger it becomes.

  58. someone -  June 10, 2012 - 11:49 am

    What’s even more pathetic is your passwords being the word ‘password.’

  59. Jodie -  June 10, 2012 - 11:30 am

    I’m the same as many on here. I use non-English words, I use random capitalization, and 2-3 numbers. Also, I use a somewhat obscure language.

  60. JayCkat -  June 10, 2012 - 8:18 am

    Simple, I use a password composed of simple to remember words from several languages.

    I use a password composed of words from Tolkien’s Elvish, Klingon, English and Malay.

    Take that dictionary attack!

  61. Thatwon'twork -  June 10, 2012 - 5:40 am

    My passwords don’t have real words in them!

  62. hyun goo -  June 10, 2012 - 3:10 am

    Since the dictionary.com favorite password are open, we shouldn’t use them?

  63. Tim Oey -  June 9, 2012 - 11:56 pm

    The best passwords are long (16+ character) strings that are different for every account you use. Handling such passwords requires a password safe (unless you have an eidetic memory). LastPass is probably the best one around but a number of others are pretty good. Google “Password manager” for options.

  64. Rustgold -  June 9, 2012 - 7:26 pm

    Even better are those government answer question passwords (ie “What is your mother’s maiden name”). Seriously……
    Btw : I can tell you that it’s ‘Long’, for I didn’t give a ‘proper’ answer when they first asked it.

  65. Emma Taylor McJoan -  June 9, 2012 - 4:45 pm

    You can never guess my passwords.
    It’s really easy to remember your passwords if you have really good memory.
    Other than letters and numbers, you can capitalize some numbers to make it more difficult to guess.
    That’s my suggestion to you.
    But you still have to remember it.
    Because if you don’t…
    Ex: h82Jod9pS8h0
    Longer and more complicated ones are GREAT!

  66. sherryyu -  June 9, 2012 - 2:09 pm

    i basically use an non-english word password for all my accouts

  67. Kyle Michael Becker -  June 9, 2012 - 12:33 pm

    I wrote a PHP script to generate a list of EVERY possible password, given a set of legal characters. including lowercase letters, uppercase letters, numbers, and the commonly used symbols (accessible through SHIFT+key)
    I omitted the characters available through ALT+### key sequences, since they are often not used for password creation, though they are indeed members of the acsii character set. This script made a separate list of all possible sequences, of given length. Well, every website has slightly differing parameters for password creation. some requiring at least one character, one number, some requiring a minimal length, some requiring a variance of casing, etc… But this script covered all those bases extensively. Only trouble is the server had certain restrictions about memory allocation, and the script would crash, knee deep in producing the list of all possible passwords, with a length of 4. at any rate, I say of this to say that we should all be reminded that even if a hacker is successful in their efforts to ‘crack’ in to some system; that it is merely a breach of the binary realm. They cannot steal your soul or anything eternally valuable anyhow. My advice is to use words from foreign languages, spell words backwards, include special characters like “!” when possible, or bastardize the spelling of words in order to prevent your password from being too generic, and thusly vulnerable. Also, be mindful that certain entities and organizations have the capability and authority to access your computer and its contents at their whim, though it is unlikely that you would have anything of their interest anyhow.

  68. Sonya -  June 9, 2012 - 11:36 am

    Most of my passwords are actually phrases mixed with letter, number and symbols to aid in the complexity.

  69. 2nd -  June 9, 2012 - 11:09 am

    NO!!!!!! Dictionaries are not for hacking!

  70. Tal of Israel -  June 9, 2012 - 8:58 am

    @JJ Rousseau
    Most people who make passwords use English.

  71. Cyberquill -  June 9, 2012 - 8:04 am

    I prefer the traditional GF method of collecting information: point a gun at someone’s head, hand them a piece of paper and a pen, and inform them that on the count of three, either their brain or their password will be on that paper.

  72. Morchena -  June 9, 2012 - 7:32 am

    Well don’t join linked in.

  73. Sad -  June 9, 2012 - 6:58 am

    my dad’s passwords are so pathetic…

  74. J J Rousseau -  June 9, 2012 - 12:29 am

    Oui, assume all hackers are English oriented. Woof.

  75. Kelby -  June 8, 2012 - 10:45 pm

    When I clicked on the first and second and fourth words the article suggests at the bottom, cacoethes and dactyl and quidnunc, dictionary.com said there were no dictionary results. Did anybody else find this?
    When I clicked on quidnunc, the webpage said they were experiencing technical difficulties which is more reasonable since I’m pretty sure I’ve looked up that word before.

  76. Kamikazen -  June 8, 2012 - 8:49 pm

    Heck, almost all of my passwords aren’t even in English. They are either romanized Japanese or romanized Japanese-English fusions of some sort with varying capitalizations, numbers, and symbols.

  77. Maddy M. -  June 8, 2012 - 7:47 pm


  78. Cyraus -  June 8, 2012 - 6:36 pm

    I use one password for all accounts, but it is nearly impossible to guess since it is a non-English word. That’s all the information I’m comfortable with disclosing. ^_^

  79. Lauren -  June 8, 2012 - 5:48 pm

    my password was easily hacked by a friend who’s only in High School and it was “Aeo9bjxq”…

  80. Emma Taylor McJoan -  June 8, 2012 - 5:24 pm

    Go Dictionario.comio!

  81. DICTIONARYATTACK | BLOGCHI@mayopia.com -  June 8, 2012 - 4:40 pm

    [...] does this not take us aback: — The ‘Dictionary Attack’ — We’re Worthless, Broke and Boring, –  Linked yet tired of underscoring  [...]

  82. Emma Taylor McJoan -  June 8, 2012 - 3:50 pm

    Oh my gosh!

  83. bleue -  June 8, 2012 - 3:06 pm

    it’s definitely advisable to use an alphanumeric password. highly recommended will be a name that you find easy to remember: a relative’s, friend’s, pet’s, or your loved ones’. And then mix it with your favorite numbers. Five to eight numbers mixed in with the names mentioned would be a strong password.


Leave A Comment

Your email address will not be published. Required fields are marked (required):

Related articles

Back to Top