While movies frequently portray the hacker as a command-line cowboy, fingers flying across the keyboard as they work their computer magic against whatever foe they’re facing, hacking in reality is much more mundane. Directed attacks against specific entities are rare, and usually only attempted against large corporations, government agencies, and public figures. For the rest of us, hacking works more like fishing. Through social engineering (such as those scams where someone calls you and pretends to be from Microsoft) or Trojan infected emails, hackers cast wide nets and deal with whatever unsuspecting users are caught.
When the occasion comes that an impenetrable fortress wall must be penetrated, the hacker’s tools are frequently just as mundane. Far from keyboard wizardry, the standard methods for gaining unauthorized access are often inelegant; less like a lockpick, more like a battering ram.
THE BRUTE FORCE BATTERING RAM
Let’s apply Occam’s Razor here: If you want access to something behind a password prompt, what is the most obvious action you’d attempt? Unless you’re overthinking the problem, you’d probably just guess at the password. While this may seem a bit too obvious, it’s exactly what hackers often try first. However, it’s unlikely they’d sit at their computers, throwing repeated guesses at the wall. Instead, they have programs that do it for them.
Such a program is known as a brute force attack, or more pompously as a cryptanalytic attack, and it functions entirely on trial and error. It works by attempting every possible combination of letters, numbers, and punctuation that could make up a password. This task would be monumental, if not impossible, for a human to attempt, but with a program that does it for you, all a hacker has to do is sit back and wait for one of the passwords to be successful.
As you can imagine, this may take a great deal of time, even for a program to run through, and that’s entirely true. The longer and more complex that a password is, the longer it takes to be brute forced. Even for the fastest key-breakers, it could take decades for a particularly complicated password to be cracked.
WHEN DICTIONARIES ATTACK
The obvious solution to the problem is to start by guessing more likely password possibilities, which is where the dictionary attack comes in. Whereas a standard brute force method tries every possible sequence systematically, a dictionary attack tries the most likely solutions first before moving onto the more obscure. True to its name, this typically involves starting with standard words found in the dictionary.
In a world of near infinite passwords, the dictionary attack may seem like a technique only marginally better than its blunter cousin, but consider how many people in the world actually do use simple words from the dictionary as the password to their all-important documents. The most widely used passwords are either simple sequences of numbers (12345) or common words like “welcome” or “password”. I’m not judging here, but is it possible that one or more of your passwords are just a single lowercase word?
REINFORCING THE DOOR
Whenever you go to create a new password and are told to throw in some capital letters, numbers, or punctuation, the system telling you this isn’t trying to criticize. The best defense against a brute force attack is a complex password; the more complex the better, and avoiding words that can be found in the dictionary is ideal. In fact, there are websites out there devoted to judging the theoretical time it would take to crack your password.
The best methods for defeating unauthorized access are typically the simple ones. Multi-factor authentication (though annoyingly inconvenient) is becoming common, and websites are becoming stricter about their password requirements. While it can be difficult to remember which vowels you replaced with numbers, it goes a long way to thwarting a hacker who, for some reason or another, has targeted you specifically. Plus, if you forget your password, there’s always a button that let’s you reset it.