If an attacker doesn’t know your password, they can try every possible combination in a brute force attack. In this video, you’ll learn about brute force and dictionary attacks.
<< Previous Video: Wireless Deauthentication Next: VLAN Hopping >>
If you are trying to reverse engineer someone’s password, one of the best ways to do this is with a dictionary attack. People tend to use common words as their passwords. And if you could get the most common words and try those first, you’ve got a better chance of finding those passwords very quickly.
You can find many lists on the internet that have the most common passwords that people have used– words like password and ninja and football tend to be in the top five or top 10 of passwords that people will use. You’ll find those word lists customized by language. Sometimes there’s line of work.
And if you’re someone who’s trying to audit your own passwords, you may want to have a look at some of those lists and try a brute force yourself. This will catch people that are using common words. It will catch the people that aren’t putting a lot of thought into their password.
But you’ll still need to use other types of password attacks if you plan on catching people who are very secure with their passwords. With a brute force attack, you don’t use a dictionary. Instead, you’re using every possible combination of letters, special characters, and numbers to try to determine what someone’s password might be.
If you’re trying to use a brute force attack online, it can be very difficult. It’s a slow process, and most systems detect when somebody is using the wrong password over and over, and they either slow down or completely disable an account. Instead, it’s much easier if you can gain access to that file that contains the hash passwords.
That way, you can take it offline and run it through an automated process where you don’t have the slowdowns or any type of disabling of account that you have to deal with. You can calculate a hash, compare it to what’s stored, and see if you can determine what those passwords might be.
This may take a lot of computing power to calculate all of these hashes, but at least you know you’re going through every possible combination and you will be able to determine what that password is.