Typically, Users will choose a password that is simple and easy to remember and the same password for multiple different logins. Sure your birthday or a pets name would be ideal for a password so that you will never forget it. However, for attackers the passwords that have little thought put in them, are the easiest to determine. And here is how the attackers determine passwords...
-Guessing: This is where it could hurt you to put personal information as your password because attackers will guess likely words and phrases such as children names, their city of birth, and local sports teams.
-Online Dictionary Attack:Attacker uses an automated program that includes a text file of words. The program repeatedly attempts to the target system using a different word from the text file on each try.
- Offline Dictionary attack: Similar to the online dictionary attack, the attacker gets a copy of the file where the hashed or encrypted copy of user accounts and passwords are stored and uses an automated program to determine what the password is for each account. This can be completed very quickly once the attacker has managed to get a copy of the password file.
- Offline Brute Force Attack: Variation of the dictionary attacks, but is designed to determine passwords that may not be included in the text file used in those attacks. Although a brute force attack can be attempted online, due to network bandwidth and latency that are usually undertaken offline using a copy of the target system's password file. In a brute force attack, the attacker uses an automated program that generates hashes or encrypted values for all possible passwords and compares them to the values in the password file.
By having strong passwords, each of these attack methods can be seriously slowed or even defeated. A strong password includes:
- Does not contain the user name
- Is at least six characters long
- Contains characters from three of the following four group.
1. Lower case letters
2. Uppercase letters