Skip main navigation

Attacking passwords

Learn about the different ways your password could be found or stolen, so you can better protect yourself.
Books on all sorts of subjects on a two-shelf bookshelf. From Science to History, Latin to Maths, the shelf covers many different things
© The Open University

The obvious ways that attackers can find or steal passwords, such as looking over your shoulder when you’re using an ATM or credit card machine or trying obvious passwords such as ‘abc123’ and ‘password’, are familiar to us.

Almost as long as there have been passwords there have been people attempting to break passwords. One of the oldest methods of automatically breaking into computers is to perform a dictionary attack. As its name suggests, a computer will attempt to log into an account by working its way through one or more dictionaries – each entry in the dictionary is one possible password and if it doesn’t work, the computer moves on to the next.

Dictionaries need not be the A–Z references that we are familiar with: a concerted dictionary attack will also include more specialised reference works such as atlases, lists of astronomical bodies and characters from literature, as well as lists of the most commonly used passwords and lists of stolen passwords that are in widespread circulation.

Dictionary attacks can also be performed on the hashed values of words; they may take a little longer, but they will work. Some system administrators might set up dictionary attacks on their own users’ passwords to try to identify weak passwords that should be changed.

An alternative, simple attack is a brute force attack where a computer will methodically work through all possible passwords (so beginning with ‘A’, then ‘AA’, ‘AB’ and so on …) trying each in turn until it stumbles upon an actual password.

Dictionary and brute force attacks can be foiled by having computers watch for unsuccessful attempts to log in to accounts. Almost all computer systems restrict the number of unsuccessful log ins, after which the account is locked and can only be accessed after the intervention of an administrator.

Another type of attack on passwords is based on the incorrect configuration of the hashing technique used to store the passwords on the server, which is discussed in the next step.

© The Open University
This article is from the free online

Introduction to Cyber Security

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education