Skip main navigation

Attacking passwords

Learn about the different ways your password could be found or stolen, so you can better protect yourself.
Books on all sorts of subjects on a two-shelf bookshelf. From Science to History, Latin to Maths, the shelf covers many different things
© beaucroft (via iStock Photo)

The obvious ways that attackers can find or steal passwords, such as looking over your shoulder when you’re using an ATM or credit card machine or trying obvious passwords such as ‘abc123’ and ‘password’, are familiar to us.

Almost as long as there have been passwords there have been people attempting to break passwords. One of the oldest methods of automatically breaking into computers is to perform a dictionary attack. As its name suggests, a computer will attempt to log into an account by working its way through one or more dictionaries – each entry in the dictionary is one possible password and if it doesn’t work, the computer moves on to the next.

Dictionaries need not be the A–Z references that we are familiar with: a concerted dictionary attack will also include more specialised reference works such as atlases, lists of astronomical bodies and characters from literature, as well as lists of the most commonly used passwords and lists of stolen passwords that are in widespread circulation.

Dictionary attacks can also be performed on the hashed values of words; they may take a little longer, but they will work. Some system administrators might set up dictionary attacks on their own users’ passwords to try to identify weak passwords that should be changed.

An alternative, simple attack is a brute force attack where a computer will methodically work through all possible passwords (so beginning with ‘A’, then ‘AA’, ‘AB’ and so on …) trying each in turn until it stumbles upon an actual password.

Dictionary and brute force attacks can be foiled by having computers watch for unsuccessful attempts to log in to accounts. Almost all computer systems restrict the number of unsuccessful log ins, after which the account is locked and can only be accessed after the intervention of an administrator.

Another type of attack on passwords is based on the incorrect configuration of the hashing technique used to store the passwords on the server, which is discussed in the next step.

© The Open University
This article is from the free online

Introduction to Cyber Security

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now