Password-cracking techniques – Brute force attack, Dictionary attack, Mask attack

Although many attacks today involve attempts to trick users into handing over their sensitive data, there are plenty of techniques available that allow hackers to be a little more aggressive.

Below are a few examples of some of the tactics used to proactively hunt for passwords, techniques that have only grown more effective with the growth of automation software.

4. Brute force attack

Brute force attacks refer to a number of different methods of hacking that all involve guessing passwords in order to access a system.

A simple example of a brute force attack would be a hacker simply guessing a person’s password based on relevant clues, however, they can be more sophisticated than that. Credential recycling, for example, relies on the fact that many people reuse their passwords, some of which will have been exposed by previous data breaches. Reverse brute force attacks involve hackers taking some of the most commonly used passwords and attempting to guess associated usernames.

Most brute force attacks employ some sort of automated processing, allowing vast quantities of passwords to be fed into a system.

5. Dictionary attack

Shutterstock

The dictionary attack is a slightly more sophisticated example of a brute force attack.

This uses an automated process of feeding a list of commonly-used passwords and phrases into a computer system until something fits. Most dictionaries will be made up of credentials gained from previous hacks, although they will also contain the most common passwords and word combinations.

This technique takes advantage of the fact that many people will use memorable phrases as passwords, which are usually whole words stuck together. This is largely the reason why systems will urge the use of multiple character types when creating a password.

6. Mask attack

Where dictionary attacks use lists of all possible phrase and word combinations, mask attacks are far more specific in their scope, often refining guesses based on characters or numbers – usually founded in existing knowledge.

For example, if a hacker is aware that a password begins with a number, they will be able to tailor the mask to only try those types of passwords. Password length, the arrangement of characters, whether special characters are included, or how many times a single character is repeated are just some of the criteria that can be used to configure the mask.

The goal here is to drastically reduce the time it takes to crack a password, and remove any unnecessary processing.

The next page details some of the lesser-known password cracking techniques – at least those that rarely make the news

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download