A dictionary attack is an online password attack where an adversary builds a list (dictionary) of likely passwords, often from a target's personal info like birthdays, pet names, and anniversaries, then uses automated software to try them one by one against an account.
A dictionary attack is a type of online password attack. Instead of guessing randomly, the attacker builds a curated list (the "dictionary") of likely passwords and feeds it to an automated tool that tries each one against your account.
What makes it dangerous is that the dictionary isn't random. Per EK 1.2.B.2, adversaries gather personal information about a target, your birthday, anniversary, pet's name, family names, and turn that into candidate passwords. They lean on the predictable patterns people use (EK 1.2.B.1): a word or two, a two-digit year, and a special character at the end. So if your password is "Fluffy2019!", a dictionary attack built from your social media is going to find it fast.
This lives in Unit 1: Introduction to Security, topic 1.2 (Suspicious Website Logins). It's the concrete mechanism behind two learning objectives. AP Cybersecurity 1.2.B asks you to explain how adversaries exploit weak authentication, and the dictionary attack is the textbook example. AP Cybersecurity 1.2.A asks you to identify signs of a password attack, like many failed logins in a short time, logins at unusual hours, or logins from unknown devices. The dictionary attack is also the reason behind the defense in AP Cybersecurity 1.2.C: make passwords long, random, and unique, avoid personally meaningful words, and turn on MFA.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryBrute Force Attack (Unit 1)
Both are online password attacks that hammer an account with guesses, but a dictionary attack is the smart cousin. Brute force tries every possible combination; a dictionary attack only tries likely ones drawn from personal info and common patterns, so it gets in faster against a weak password.
Weak Authentication and Password Patterns (Unit 1)
A dictionary attack only works because of EK 1.2.B.1 habits. People build passwords from pet names, dates, and that 'word + year + special character' formula. The attack is basically a tool designed to exploit exactly those predictable choices.
Multifactor Authentication (MFA) (Unit 1)
MFA is the direct counter from EK 1.2.C.3. Even if a dictionary attack guesses your password, the attacker still needs a second factor like a one-time code, so a correct guess alone no longer gets them in.
Authentication Log (Unit 1)
Authentication logs are where you actually spot a dictionary attack in progress. The signs from EK 1.2.A.2, lots of failed logins fast, odd times, unknown devices, show up as entries you can read and flag.
Expect this on multiple-choice questions in two flavors. First, scenario stems that describe the attack and ask you to name it: an attacker gathers a target's pet name, birthdate, and anniversary, then runs automated software trying combinations of those details, and you pick "dictionary attack." Second, questions about the weak authentication that enables it, like spotting a password built from a birthday plus a spouse's name. You should be able to (1) identify a dictionary attack from a description, (2) explain why personal-info passwords make it work, and (3) name the defenses, long random unique passwords and MFA. No released FRQ has used this term verbatim, but it supports the kind of attack-and-mitigation explanation Unit 1 free responses reward.
A brute force attack tries every possible password combination, no targeting. A dictionary attack is selective: it only tries a precompiled list of likely passwords, usually built from the target's personal info and common patterns. Dictionary attacks are faster against weak, predictable passwords; brute force is the exhaustive backup that eventually cracks short passwords by sheer volume.
A dictionary attack is an online password attack that tries a curated list of likely passwords rather than random guesses.
Adversaries build the dictionary from a target's personal information like birthdays, anniversaries, and pet or family names (EK 1.2.B.2).
It exploits predictable password patterns, such as a word plus a two-digit year plus a special character (EK 1.2.B.1).
Signs include many failed logins in a short time, logins at unusual hours, and logins from unknown devices (EK 1.2.A.2).
The best defenses are long, random, unique passwords and turning on multifactor authentication (EK 1.2.C).
It's an online password attack where the adversary builds a list of likely passwords, often from your personal info like your pet's name, birthday, and anniversary, then uses automated software to try each one against your account. It shows up in Unit 1, topic 1.2.
No. A brute force attack tries every possible combination, while a dictionary attack only tries a targeted list of likely passwords. The dictionary attack is more efficient against weak, personal-info passwords because it skips the guesses that obviously won't work.
Use passwords that are long, random, and unique, and avoid names, dates, or other personally meaningful words (EK 1.2.C.1 and 1.2.C.2). Turning on multifactor authentication (MFA) adds a second layer, so even a correct password guess won't get the attacker in.
Look for the signs of an online password attack in EK 1.2.A.2: many failed login attempts over a short time, login attempts at unusual hours, and login attempts from unknown devices. Authentication logs are where these show up.
Because that's exactly what a dictionary attack feeds on. Per EK 1.2.B.2, adversaries gather personal details like pet names, family names, and significant dates, then build them into a password dictionary an automated tool can run through quickly.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.