LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is a dictionary attack, and how does it differ from brute force?

Dictionary attacks try a curated list of likely passwords (common words, leaked passwords, names) — much faster than brute force because the list is short.

How it works:

  1. Attacker assembles a wordlist — dictionary or wordlist. Examples:
    • English dictionary (~470,000 words)
    • rockyou.txt — 14 million real leaked passwords
    • Names, sports teams, birthdates, lyrics
  2. For each word: hash it, compare to stolen hashes
  3. Found a match → password cracked

Why it's fast:

  • A wordlist might be 10 million entries
  • A 6-char brute-force is 70⁶ ≈ 100 billion possibilities
  • Wordlists are 10,000× smaller — and they cover the most likely passwords first

Hit rates in practice:

In real breached datasets, 20-40% of passwords crack with rockyou.txt alone, in seconds.

Defenses:

  • Don't use real words (or only as part of a passphrase with multiple words)
  • Use random characters from a password manager
  • Rate-limit login attempts to prevent online dictionary attacks

Modern hybrid attacks:

Tools like Hashcat combine wordlists with rules:

  • rockyou.txt + append digits + capitalize first letter + replace o→0
  • Generates billions of variations from a 14M-word base
  • Catches Password1, P@ssword, Password2024, etc.

The famous wordlist: rockyou.txt came from the 2009 RockYou breach where 32M passwords were stored in plaintext. It's been used in every cracking tutorial since.

Tip: Try https://www.kali.org/tools/wordlists/ on Kali Linux — /usr/share/wordlists/ has rockyou.txt by default.

Go deeper:

From Quiz: INTROL / Password Cracking | Updated: Jul 05, 2026