<Tr> <Td> </Td> <Td> This article needs additional citations for verification . Please help improve this article by adding citations to reliable sources . Unsourced material may be challenged and removed . (February 2018) (Learn how and when to remove this template message) </Td> </Tr> <P> In cryptanalysis and computer security, a dictionary attack is a form of brute force attack technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary . </P> <P> A dictionary attack is based on trying all the strings in a pre-arranged listing, typically derived from a list of words such as in a dictionary (hence the phrase dictionary attack). In contrast to a brute force attack, where a large proportion of the key space is searched systematically, a dictionary attack tries only those possibilities which are deemed most likely to succeed . Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords, or simple variants obtained, for example, by appending a digit or punctuation character . Dictionary attacks are relatively easy to defeat, e.g. by using a passphrase or otherwise choosing a password that is not a simple variant of a word found in any dictionary or listing of commonly used passwords . </P> <P> It is possible to achieve a time--space tradeoff by pre-computing a list of hashes of dictionary words, and storing these in a database using the hash as the key . This requires a considerable amount of preparation time, but allows the actual attack to be executed faster . The storage requirements for the pre-computed tables were once a major cost, but are less of an issue today because of the low cost of disk storage . Pre-computed dictionary attacks are particularly effective when a large number of passwords are to be cracked . The pre-computed dictionary need be generated only once, and when it is completed, password hashes can be looked up almost instantly at any time to find the corresponding password . A more refined approach involves the use of rainbow tables, which reduce storage requirements at the cost of slightly longer lookup - times . See LM hash for an example of an authentication system compromised by such an attack . </P>

How to prevent dictionary attack on password hashes