Industry guru Dave Taylor offers tech support on technical and business topics, including iPhone, iPod, Microsoft Windows, Sony PSP, cellphones, online advertising, CSS, Web design, business, Unix, Linux, SEO, Mac OS X, and shell script programming.     


What's a dictionary attack?

Dave, our IT people just sent out a note warning about "dictionary attacks" on our server, but I really have no idea what a dictionary attack is. Can you enlighten me?


Dave's Answer:

The first time I heard this phrase, I have to admit that I had visions of mad academics chasing after innocent people, hurling weighty tomes and yelling obscure and polysyllabic imprecations, but it turns out that a dictionary attack is much more plebeian and mundane.

There are really two different kinds of dictionary attacks that I know of, actually, so let's start with the simpler: hackers know well that most people do a terrible job of picking passwords, so if they can figure out what account names to try, they can use a program to automatically try thousands of different possible passwords to break into accounts remotely.

For example, if you were to look at my email and determine that my account name is taylor and that my server was intuitive.com, then you could ostensibly feed a dictionary of common names, for example, to try and log in to my server, from Aaron to Zebediah, hoping that I have a simple password.

That's a login dictionary attack.

The other, perhaps more common dictionary attack, is one that spammers use: if you know that my mail server is intuitive.com and that email addresses are simply something at that domain name, then one brute force way to figure out what email addresses are valid on my server is to send a message to every possible address and see which ones bounce.

That's an email dictionary attack.

Anyway, when your IT people are talking about dictionary attacks, you should read that as a reminder to make sure you have good, complex passwords and that you should not have a mail system with "catch all" addresses, where any mail sent to an unknown destination get automatically delivered.


More Useful Computer and Internet Basics Articles:
✔   How do I blur my house on Google Maps Street View?
I was poking around on Google Maps looking at satellite views of my neighborhood and when I switched to street view, was upset...
✔   Create a custom vanity URL for Kickstarter?
I was reading some updates on Twitter and saw someone had posted a URL that would let me see what projects they'd backed...
✔   Export or Save Subscription List from Google Reader?
Just heard that Google Reader is going away this summer. That stinks! How am I supposed to read my RSS feeds? More importantly,...
✔   Shrink or Reduce a Photo File Size on Mac?
I'm trying to upload some photos to a social media site and it's complaining that they're too big. They are, as they come...
✔   Can I organize my Yahoo Mail with folders?
I've been on Yahoo Mail for years and while most of my friends are now on Gmail or their own Web-based email programs,...

Let's stay in touch!
Sign up for my weekly AskDaveTaylor Newsletter and you'll receive even more tech and gadget help right to your inbox, along with exclusive news and industry updates. It's good stuff. I promise!
    Enter your name: and your email addr:  








Reader Comments To Date: 1

Patrick said, on July 31, 2008 9:05 AM:

Dave,

I just received this message from Apple Engineering:

"However we can see that the customer is under a dictionary attack. This needs to be addressed post haste. This can cause issues with Directory Services."

How, exactly, might one go about addressing dictionary attacks? We're seeing brute force authentication attempts from all over, typically from Asia and Europe. I don't know what some Korean or French guy thinks he's going to do with anything he might find. Since I have to have certain services available for my remote users, such as email, file sharing and a database server, how can I lock these guys out?


Thanks,
Patrick

Starbucks coffee cup I do have a lot to say, and questions of my own for that matter, but first I'd like to say thank you, Dave, for all your helpful information by buying you a cup of coffee!

I do have a comment, now that you mention it!











I will never send you any unsolicited email. Ever.






Check This Out Too...

 
Look for Answers
Need Help? Ask Dave Taylor!


Follow Me on Pinterest

Find Me on Google+
ADT on G+
© 2002 - 2013 by Dave Taylor. All Rights Reserved.

Note: This web site is for the purpose of disseminating information for educational purposes, free of charge, for the benefit of all visitors. We take great care to provide quality information. However, we do not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this web site or on any linked site. Further, please note that by submitting a question or comment you're agreeing to my terms of service, which are: you relinquish any subsequent rights of ownership to your material by submitting it on this site. My lawyer says "Thanks".
"Ask Dave Taylor®" is a registered trademark of Intuitive Systems, LLC.