Users will typically choose a password that is easy to remember and use that password for multiple platforms, whether it's a bank account or a Facebook profile. For attackers, these types of passwords are the easiest to determine. Let's take a look at how hackers think.
Guessing
Including personal, public information in your password is a terrible idea. Attackers can simply guess words and phrases associated with your life, such as child names, city of birth, and local sports teams. If your life is showcased online and your password for important websites is personal, stop reading this and go and change it now.
Online Dictionary Attack
Attackers use an automated program that includes a text file of words. The program repeatedly attempts to the target a system using a different word from the text file on each try. While this is less consistent than other methods, it still works.
Offline Dictionary Attack
Similar to the online dictionary attack, the attacker gets a copy of the file where the hashed or encrypted copy of user accounts and passwords are stored. They then use an automated program to determine what the password is for each account. This can be a very quick process once the attacker has managed to get a copy of the password file.
Offline Brute Force Attack
A variation of the dictionary attacks, this process is designed to determine passwords that may not be included in the text file used. Although a brute force attack can be attempted online, due to network bandwidth and latency, it is usually undertaken offline by using a copy of the target system's password file. The attacker uses an automated program that generates hashes or encrypted values for all possible passwords and compares them to the values in the password file.
The Takeaway
By having a strong password, each of these attack methods can be drastically delayed or even defeated. Make sure your password follows these guidelines:
1. It does not contain the username
2. It is at least six characters long
3. It contains characters from at least three of the following four groups:
Guessing
Including personal, public information in your password is a terrible idea. Attackers can simply guess words and phrases associated with your life, such as child names, city of birth, and local sports teams. If your life is showcased online and your password for important websites is personal, stop reading this and go and change it now.
Online Dictionary Attack
Attackers use an automated program that includes a text file of words. The program repeatedly attempts to the target a system using a different word from the text file on each try. While this is less consistent than other methods, it still works.
Offline Dictionary Attack
Similar to the online dictionary attack, the attacker gets a copy of the file where the hashed or encrypted copy of user accounts and passwords are stored. They then use an automated program to determine what the password is for each account. This can be a very quick process once the attacker has managed to get a copy of the password file.
Offline Brute Force Attack
A variation of the dictionary attacks, this process is designed to determine passwords that may not be included in the text file used. Although a brute force attack can be attempted online, due to network bandwidth and latency, it is usually undertaken offline by using a copy of the target system's password file. The attacker uses an automated program that generates hashes or encrypted values for all possible passwords and compares them to the values in the password file.
The Takeaway
By having a strong password, each of these attack methods can be drastically delayed or even defeated. Make sure your password follows these guidelines:
1. It does not contain the username
2. It is at least six characters long
3. It contains characters from at least three of the following four groups:
- Lower case letters
- Uppercase letters
- Numerals
- Symbols