CAPEC-16: Dictionary-based Password Attack

<p>An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.<p><p>Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.<p>
Extended Description

For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed.

Severity :


Possibility :


Type :


This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The system uses one factor password based authentication.
  • The system does not have a sound password policy that is being enforced.
  • The system does not implement an effective password throttling mechanism.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low A variety of password cracking tools and dictionaries are available to launch this type of an attack.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack.

Visit for more details.