What makes passwords vulnerable to dictionary attacks, and why are we still using them?
There are 3 ways to authenticate a user - what you have (a token, ID card etc), what you are (biometric eg fingerprint) or what you know (password). These can be used individually or as a combination. "What you know" is still the most popular form of authentication as it doesn't have the logistical issues of tokens or technological challenges of biometrics. Passwords must be easy to remember, which for humans means it will probably be based on known text. Unfortunately this massively reduces the entropy or randomness of the password, and allows targeted attacks based on dictionary words.