Dave, our IT people just sent out a note warning about “dictionary attacks” on our server, but I really have no idea what a dictionary attack is. Can you enlighten me?
The first time I heard this phrase, I have to admit that I had visions of mad academics chasing after innocent people, hurling weighty tomes and yelling obscure and polysyllabic imprecations, but it turns out that a dictionary attack is much more plebeian and mundane.
There are really two different kinds of dictionary attacks that I know of, actually, so let’s start with the simpler: hackers know well that most people do a terrible job of picking passwords, so if they can figure out what account names to try, they can use a program to automatically try thousands of different possible passwords to break into accounts remotely.
For example, if you were to look at my email and determine that my account name is taylor and that my server was intuitive.com, then you could ostensibly feed a dictionary of common names, for example, to try and log in to my server, from Aaron to Zebediah, hoping that I have a simple password.
That’s a login dictionary attack.
The other, perhaps more common dictionary attack, is one that spammers use: if you know that my mail server is intuitive.com and that email addresses are simply something at that domain name, then one brute force way to figure out what email addresses are valid on my server is to send a message to every possible address and see which ones bounce.
That’s an email dictionary attack.
Anyway, when your IT people are talking about dictionary attacks, you should read that as a reminder to make sure you have good, complex passwords and that you should not have a mail system with “catch all” addresses, where any mail sent to an unknown destination get automatically delivered.