There are literally hundreds of security focused books on the art of cracking passwords and securing your systems. This article will just cover the basics of how your passwords can be exposed to password cracking programs and other methods of gaining access to your accounts.
Overview
Since there are numerous topics related to security and passwords in general, I’m going to cover just the basics – how can passwords be cracked or otherwise compromised – without focusing on a specific crack or type of system.
The aim of the article is to better arm you with knowledge about protecting yourself and your computer against these types of threats.
Brute Force Attack
Brute force attacks are one of the simplest ways of attempting to crack a password. In a brute force attack, the attacker simply attempts to “guess” your password. If the first guess fails, it tries a second guess and so on until either they succeed or give up. There are numerous brute force tools out there to crack anything from Office documents to Zip files to Windows Account passwords.
In order to safeguard yourself against brute force attacks use a password longer than 7 characters with a mix of uppercase, lowercase and numbers. The difference between a brute force attack using a decent “consumer” PC is about 4 days for a 7 character password or 253 days for a 8 character password. If you go out to 9 characters it is extremely unpractical for anyone to attempt to brute force crack your password. More info can be found on brute force crack times here: Lockdown.co.uk.
You should also consider using a lockout policy that will lock your user account for a length of time if too many incorrect guesses were made.
Dictionary Attack
A dictionary attack is a form of a brute force attack. The attacker doesn’t know what any parts of your password is, but they make the assumption that all or part of your password is a word. The attacker uses a program to cycle through a large dictionary of words and appends random characters to the dictionary words to attempt to guess your password.
It’s pretty simple to combat dictionary attacks – don’t use names or words in your passwords. One tip I recommend is to come up with a basic phrase and perform letter substitution. For example, if I wanted my password to be “I hate computers”, I could substitute the letter “a” with “@”, “e” with “3”, “o” with “0” and “I” with “1”. The new password may be “1 h@t3 c0mput3rs”. This makes it relatively easy for you to remember, but makes dictionary attacks impossible.