The simple answer to that question is that passwords are cracked by guessing.
Now, I know what you’re thinking – that the corporate login system will lock someone out after five failed attempts. Sure. But, by the time a cracker comes to the front door of your system, they’ve already guessed your password.
Well, it likely started with a successful SQL injection attack that gave the cracker access to a database containing user account information. Sure, the passwords were encrypted. But, now that they have the cipher text, they can start trying to crack it.
The first thing they’ll do is to try all of the passwords on lists of commonly used passwords and default passwords. This is called a dictionary attack. It will likely crack several passwords in the database, since these are, after all, common passwords.
Foiling a dictionary attack is quite easy. Just don’t use common passwords. Take a few minutes to follow the links above to see just how easy this is for crackers.
Brute Force Attacks
To crack even more passwords, the cracker can instruct their computer to try every possible password until one matches. This is called a brute force attack. This type of attack is guaranteed to work – eventually.
The key to thwarting brute a force attack is to use strong passwords. Password strength is affected by two things:
- The length and complexity of the actual password, and
- The processing power available to the cracker.
Obviously, you cannot control the second. But, you can control the first. I’ll cover password strength in more detail in the next post. But, suffice to say that the longer and more complex your password, the stronger it is.
Finally, there’s one more way a cracker can “guess” a password: They can change it.
Assuming the user account information database that they downloaded also includes email addresses (which many sites use as the logon id), the cracker now has two pieces of information about you: Your email address and a password that you use on at least one website.
Using the knowledge that many people reuse passwords on many different sites, including email, the cracker will naturally go to your email site and try to login using your email address and the cracked password. If it works, then not only can they read your email, they can also potentially change your password on other sites and intercept the new, system-generated passwords.
Sure, some websites (notably banks) now require you run a gauntlet of personal questions before allowing you to change your password. But, others do not – including Facebook which is rapidly becoming defacto authentication standard across the web.
There’s only one way to prevent this kind of attack – don’t reuse passwords across sites – especially email!
Now that I’ve scared the pants off you, stay tuned for a deeper (geekier) discussion of password strength, and some (less geeky) recommendations regarding passwords.