A proper password is the primary key for establishing the first line of defense for any network. Just like a regular key it must be difficult to forge, it should be kept safe as it`s extremely easy to make "a replica", and it should be used! The latter means that if you leave something unlocked then having a key (or password) is meaningless. Intruders typically rely on these three methods of getting your password:
1. Dictionary attack: guessing your password via thousands tries (if not millions). Most people have a natural tendency to pick a familiar word and make it their password. There are many exhausting password dictionaries carrying most popular choices and their variations. For example:
- Nimda (reverse of Admin)
- Tarheel 1 (a very frequent pick by UNC graduates)
If one happened to be not so original then this most primitive method would allow an intruder to assign a task to a computer for trying out numerous logins via "dictionary based" passwords and sooner or later the machine will guess the correct one.
2. Brute force attack: it is a possible to crack any password if given enough attempts (time) simply because one can try to exhaust all possible combinations of letters, symbols and numbers that are allowed to be used in passwords. The only problem with this method is that the amount of time it would require to reach the right combination grow exponentially with the length of the password AND the amount of allowed characters. For instance: if a password is 4 characters long and it consists of only digits (10 options) it would take any modern computer an instance to run through all variations. However if a password is 20 characters long and it`s made of digits (10), case-sensitive letters (56) and symbols (~10) then the computer has to go through an enormous amount of variations before it reaches the right combination (76^20) which an unacceptable amount of time to break even for a super-computer.
3. Spying, Eavesdropping, Stealing: the most casual, down-to-earth scenario of all. Let`s say there is a notepad or a file with a list of all passwords, now the intruder`s cyber task is transformed into a physical one which can be much simpler (a much smarter way to store password is using a Password manager). One can also watch fingers as they type a password, eavesdrop on a private conversation revealing a password, etc.
4. Sniffing attack (spying, eavesdropping): it is the fastest one provided that the intruder has access with high enough privileges to a computer used by a victim for logging on. The intruder would deploy a resident program nick-named a Sniffer (many, many variations are widely available). Such program would record all key strokes made by everyone using the computer. After a short period of fishing the logs of the key strokes are retrieved and it`s fairly easy to locate the password sequence from that.