SECURITYJuly 19, 2025·6 min read

Dictionary Attack vs Brute Force: What's the Difference?

Dictionary attacks use wordlists. Brute force tries every combination. Both are dangerous, but in different ways, against different password types.

Brute force: trying everything

A brute force attack tries every possible combination of characters, starting with the shortest and working up: "a", "b", "c"... "aa", "ab"... until it finds the correct password or exhausts the search space. Against modern hashing algorithms and long passwords, this is computationally infeasible — a 20-character random password against bcrypt would take longer than the age of the universe to crack by brute force.

Brute force is relevant primarily for short passwords (under 10 characters), weak hashing (MD5, SHA-1 without proper salting), and offline attacks against leaked databases where the attacker can try billions of combinations per second.

Dictionary attacks: trying likely passwords

A dictionary attack uses a pre-compiled list of likely passwords rather than trying all combinations. Modern password dictionaries aren't just word lists — they include:

  • All previously leaked passwords from breach databases (hundreds of millions of real passwords)
  • Common word + number combinations: password1, summer2024
  • Leet-speak substitutions: p@ssw0rd, l33t
  • Keyboard walks: qwerty, 123456
  • Corporate patterns: CompanyName2024!

Dictionary attacks with rule sets (like hashcat's built-in rules) can test billions of plausible variations per second, making them far more practical than brute force for human-created passwords.

Hybrid attacks

Hybrid attacks combine both approaches: start with dictionary words and apply brute-force character substitutions to each one. This is how most real-world password cracking works and why complexity rules fail — they teach patterns that become dictionary entries.

What defeats each attack type

Against brute force: Length. A 20-character password has too many possible combinations to enumerate regardless of character set or hashing algorithm.

Against dictionary attacks: Randomness. A password with no dictionary-word components and no predictable substitution patterns doesn't appear in any wordlist. This is why PassGeni uses crypto.getRandomValues() rather than words with transformations.

Against both: Random generation + length + strong hashing on the server side. PassGeni handles the first two; the site handles the third (and you can't control that).

Use the Strength Checker to see how your current passwords rate against dictionary-based scoring, not just entropy calculations.

Key topics
dictionary attackbrute forcewordlistcredential attackpassword cracking
Was this post useful?
Frequently asked questions

Questions about this topic

Which attack is faster — dictionary or brute force?

+

What wordlists do attackers use?

+

How do I protect against both attack types?

+
More posts

Related reading

Passkeys vs Passwords in 2025: Is the Password Era Actually Over?

7 min read →

Password Security for Remote Work in 2025: The Threat Landscape Has Changed

9 min read →

What Actually Happens After a Data Breach: A Timeline

8 min read →