In-depth

Password-cracking techniques – Brute force attack, Dictionary attack, Mask attack

Some of the most common, and most effective, methods for stealing passwords

20 Oct 2020

A list of poorly-constructed passwords on a notepad

Shutterstock

Although many attacks today involve attempts to trick users into handing over their sensitive data, there are plenty of techniques available that allow hackers to be a little more aggressive.

Below are a few examples of some of the tactics used to proactively hunt for passwords, techniques that have only grown more effective with the growth of automation software.

4. Brute force attack

A sledgehammer smashing through a white wall

.imgHideOnJavaScriptDisabled_134ww3qkoc7ornc { display: none !important; }

Brute force attacks refer to a number of different methods of hacking that all involve guessing passwords in order to access a system.

A simple example of a brute force attack would be a hacker simply guessing a person’s password based on relevant clues, however, they can be more sophisticated than that. Credential recycling, for example, relies on the fact that many people reuse their passwords, some of which will have been exposed by previous data breaches. Reverse brute force attacks involve hackers taking some of the most commonly used passwords and attempting to guess associated usernames.

Most brute force attacks employ some sort of automated processing, allowing vast quantities of passwords to be fed into a system.

5. Dictionary attack

Sticky notes on a monitor displaying assorted passwords

.imgHideOnJavaScriptDisabled_134ww3qkoc7orni { display: none !important; }

The dictionary attack is a slightly more sophisticated example of a brute force attack.

This uses an automated process of feeding a list of commonly-used passwords and phrases into a computer system until something fits. Most dictionaries will be made up of credentials gained from previous hacks, although they will also contain the most common passwords and word combinations.

This technique takes advantage of the fact that many people will use memorable phrases as passwords, which are usually whole words stuck together. This is largely the reason why systems will urge the use of multiple character types when creating a password.

6. Mask attack

Abstract image of glowing binary in red and blue

.imgHideOnJavaScriptDisabled_134ww3qkoc7ornk { display: none !important; }

Where dictionary attacks use lists of all possible phrase and word combinations, mask attacks are far more specific in their scope, often refining guesses based on characters or numbers – usually founded in existing knowledge.

For example, if a hacker is aware that a password begins with a number, they will be able to tailor the mask to only try those types of passwords. Password length, the arrangement of characters, whether special characters are included, or how many times a single character is repeated are just some of the criteria that can be used to configure the mask.

The goal here is to drastically reduce the time it takes to crack a password, and remove any unnecessary processing.

The next page details some of the lesser-known password cracking techniques – at least those that rarely make the news