It’s absolutely helpful to understand the basics of how passwords are stolen. Consider two situations.
First case is when a password is practically given away. It was written down and easily found, or handed out in reply to a fake email or phone call that seems to come from someone trusted, like, your bank or your IT department at work.
The second case is tougher. Passwords are encrypted when stored on company servers, so they can’t be read. So, bad hackers steal the data—encrypted passwords, usernames, and so on—and then try to decrypt (crack) the passwords.
This is what’s happening when you hear about data breaches where millions of accounts are stolen from big companies.
Password cracking is done on the hackers’ own computers. These could be normal PCs, or super powerful ones that can try billions (or even trillions) of combinations a second. Yep, billions. A second.
The easier approach to password cracking is called a dictionary attack, which just means trying a whole lot of likely possibilities. This could be every word in a regular dictionary, thousands of popular pet names, or a list of common passwords. When millions of passwords are stolen and cracked, they become dictionaries for future use.
If you make your passwords not obvious, dictionary attacks will fail. It’s that simple.
Next, bring on the more intense brute force attack, where every possible combination of characters is tried, really fast. That’s like, “a”, “ab”, “ac”, and so on. A lot of possibilities versus billions of tries a second.
Eventually, brute force will work. The key is, “eventually”.
If it would take years, decades or centuries for today’s faster computers to guess, then the password wins.
A password that has so many possible combinations, it would take centuries to crack…that’s the way to go. And that’s surprisingly easy to do, as you’ll see next lesson.