Complex passwords comprised of alphanumeric characters are more difficult to crack. However, even with complex passwords, powerful computers can use brute force to compare all possible combinations of characters until a match is found. Of course, if attackers can create their own passwords in a system, they do not need to guess a legitimate one.
|“|| A password-cracking program does not actually "decrypt" the passwords. The CPU time it would take to decrypt even one password would make this approach unfeasible. What a typical cracking utility will do is accept individual words from a "dictionary" (a list of words that could be used as passwords). The program then encrypts the individual words, and the encrypted value is compared to the captured password file. Because many users are known to choose weak passwords, it is not long before an attacker has a list of passwords that can be used to enter the target system.
There are many different cracking programs available, but they typically run through a series of stages:
- ↑ Assessing Technology, Methods, and Information for Committing and Combating Cyber Crime, at 21-22.
- Information Security—Computer Attacks at Department of Defense Pose Increasing Risks: A Report to Congressional Requesters, at 13.