Most people understand that good password security is the first and most effective strategy for protecting sensitive systems and data, yet systems are regularly compromised via breached user accounts.
It is fairly common knowledge that one should use strong passwords that are not easily "guessed" - such as by employing passwords that are 12 to 16 characters in length that use both upper and lower case letters, and which include non-alphanumeric characters.
But sophisticated hackers are not always simply attempting to "guess" passwords based on information lifted from social networks and the like, but instead are using various methods to undermine what most would think to be a secure password choice.
PC Pro's Davey Winder posted a nice little writeup on the the top ten methods hackers use to crack passwords
Winder's top ten and a brief excerpt of the technique are as follows:
1. Dictionary attack
"This uses a simple file containing words that can, surprise surprise, be found in a dictionary. In other words, if you will excuse the pun, this attack uses exactly the kind of words that many people use as their password..."
2. Brute force attack
"This method is similar to the dictionary attack but with the added bonus, for the hacker, of being able to detect non-dictionary words by working through all possible alpha-numeric combinations from aaa1 to zzz10..."
3. Rainbow table attack
"A rainbow table is a list of pre-computed hashes - the numerical value of an encrypted password, used by most systems today - and that’s the hashes of all possible password combinations for any given hashing algorithm mind. The time it takes to crack a password using a rainbow table is reduced to the time it takes to look it up in the list..."
"There's an easy way to hack: ask the user for his or her password. A phishing email leads the unsuspecting reader to a faked online banking, payment or other site in order to login and put right some terrible problem with their security..."
5. Social engineering
"A favourite of the social engineer is to telephone an office posing as an IT security tech guy and simply ask for the network access password. You’d be amazed how often this works..."
"A key logger or screen scraper can be installed by malware which records everything you type or takes screen shots during a login process, and then forwards a copy of this file to hacker central..."
7. Offline cracking
"Often the target in question has been compromised via an hack on a third party, which then provides access to the system servers and those all-important user password hash files. The password cracker can then take as long as they need to try and crack the code without alerting the target system or individual user..."
8. Shoulder surfing
"The service personnel ‘uniform’ provides a kind of free pass to wander around unhindered, and make note of passwords being entered by genuine members of staff. It also provides an excellent opportunity to eyeball all those post-it notes stuck to the front of LCD screens with logins scribbled upon them..."
"Savvy hackers have realised that many corporate passwords are made up of words that are connected to the business itself. Studying corporate literature, website sales material and even the websites of competitors and listed customers can provide the ammunition to build a custom word list to use in a brute force attack..."
"The password crackers best friend, of course, is the predictability of the user. Unless a truly random password has been created using software dedicated to the task, a user generated ‘random’ password is unlikely to be anything of the sort..."
For the complete description of Winder's top ten password cracking methods refer to the full article at PC Pro: