Enter the maze

He attacked me with a dictionary!

by Jo Brodie and Paul Curzon, Queen Mary University of London

Lots of letters. From PIXABAY.com

You might be surprised at how many people have something short, simple (and stupid!) like 'password' as their password. Some people add a number to make it harder to guess ('password1') but unfortunately that doesn't help. For decades the official advice has been to use a mixture of lower (abc) and upper case (ABC) characters as well as numbers (123) and special characters (such as & or ^). To meet these rules some people substitute letters for numbers (for example 0 for O or 4 for A and so on). Following these rules might lead you to create something like "P4ssW0^d1" which looks like it might be difficult to crack, but isn't. The problem is that people tend to use the same substitutions so password-crackers can predict, and so break, them too.

Hackers know the really common passwords people use like 'password', 'qwerty' and '12345678' so will just try them as a matter of course until they very quickly come across one of the many suckers who used one. Even apparently less obvious passwords can be easy to crack, though. The classic algorithm used is a 'dictionary attack'.

The simple version of this is to run a program that just tries each word in an online dictionary one at a time as a password until it finds a word that works. It takes a program fractions of seconds to check every word like this. Using foreign words doesn't help as hackers make dictionaries by combining those for every known language into one big universal dictionary. That might seem like a lot of words but it's not for a computer.

You might think you can use imaginary words from fiction instead - names of characters in Lord of the Rings, perhaps, or the names of famous people. However, it is easy to compile lists of words like that too and add them to the password cracking dictionary. If it is a word somewhere on the web then it will be in a dictionary for hacking use.

Going a step further, a hacking program can take all these words and create versions with numbers added, 4 swapped for A, and so on. These new potential passwords become part of the attack dictionary too. More can be added by taking short words and combining them, especially ones that appear in well known phrases like 'starwars' or 'tobeornottobe'.

The list gets bigger and bigger, but computers are fast, and hackers are patient, so that's no big deal...so make sure your password isn't in their dictionary!