Quiz Entry - updated: 2026.07.05
What is a dictionary attack, and how does it differ from brute force?
Dictionary attacks try a curated list of likely passwords (common words, leaked passwords, names) — much faster than brute force because the list is short.
How it works:
- Attacker assembles a wordlist —
dictionaryorwordlist. Examples:- English dictionary (~470,000 words)
- rockyou.txt — 14 million real leaked passwords
- Names, sports teams, birthdates, lyrics
- For each word: hash it, compare to stolen hashes
- Found a match → password cracked
Why it's fast:
- A wordlist might be 10 million entries
- A 6-char brute-force is 70⁶ ≈ 100 billion possibilities
- Wordlists are 10,000× smaller — and they cover the most likely passwords first
Hit rates in practice:
In real breached datasets, 20-40% of passwords crack with rockyou.txt alone, in seconds.
Defenses:
- Don't use real words (or only as part of a passphrase with multiple words)
- Use random characters from a password manager
- Rate-limit login attempts to prevent online dictionary attacks
Modern hybrid attacks:
Tools like Hashcat combine wordlists with rules:
rockyou.txt + append digits + capitalize first letter + replace o→0- Generates billions of variations from a 14M-word base
- Catches
Password1,P@ssword,Password2024, etc.
The famous wordlist: rockyou.txt came from the 2009 RockYou breach where 32M passwords were stored in plaintext. It's been used in every cracking tutorial since.
Tip: Try https://www.kali.org/tools/wordlists/ on Kali Linux — /usr/share/wordlists/ has rockyou.txt by default.
Go deeper:
NotSoSecure password_cracking_rules — a curated "super rule" merging Hob0, KoreLogic, NSA and Hashcat rulesets — the exact transformations attackers apply to wordlists.