Password-cracking utilities use three methods for attempting to break a password. The simplest and the fastest—assuming that your password is a word that might be found in a dictionary—is called the Dictionary Attack.The Dictionary Attack tries every word in the dictionary until it finds the right one for the username trying to be accessed.
The second method used to break passwords is called a Brute Force Attack.The Brute Force Attack will try literally every possible combination sequentially until it finds the right combination to authenticate the username trying to be accessed.The Brute Force Attack will attempt to use lowercase letters, uppercase letters, numbers, and special characters until it eventually stumbles onto the correct password.
The third method is called a Hybrid Attack.The Hybrid Attack combines the Dictionary Attack and the Brute Force Attack. Many users will choose a password that is in fact a dictionary word, but add a special character or number at the end. For instance, they might use “password1” instead of “password.” A Dictionary Attack would fail because “password1” isn’t in the dictionary, but a Brute Force Attack might take days depending on the processing power of the computer being used. By combining a Dictionary Attack with a Brute Force Attack, the Hybrid Attack would be able to crack this password much faster.
Given enough time and resources, no password is 100% unbreakable. Some password recovery utilities may have success where others fail, and a lot depends on the processing horsepower of the machine attempting to crack the password (see the sidebar on p. 38).
Just like the lock on your home or car door—the idea is to make it difficult to get in, not impossible.A professional thief can probably still pick your lock in under a couple minutes, but the average person will be deterred by a lock and even thieves of moderate skill may be dissuaded by more complex or intricate lock systems.
The goal isn’t to come up with a password that is unbreakable—although that would be nice as well.The goal is to create a password that you can remember but that the average person won’t be able to guess based on knowing a few details about your life and that would take so long to crack using a password-recovery utility that a hacker of moderate skill would be dissuaded. In the end, someone skilled or dedicated enough could still find a way to break or go around your password, which is one of the reasons this is not the only defense mechanism you will use.
Aside from coming up with strong passwords, it is also important to change your passwords on a regular basis. Even if you have done everything possible to protect your passwords, it is still possible that through a security breach on a server or by an attacker intercepting network traffic, that your password could be intercepted or cracked. I would recommend that you change your passwords every 30 days at a minimum.
