Cracking Dictionaries: A Hacker's Guide For Password Thievery

Many businesses struggle with password security, especially when employees don’t take it as seriously as they should. Human nature being what it is, staff who don’t use password-smarts at home are likely to bring that same behavior to work. The reality is that 60% of small-to-medium-sized businesses close within six months of a cyberattack and the average financial cost per businesses is $200,000. With statistics like these, one would think that fortified passwords should be mandatory and not an exception. But true to form, hackers have found a way to make password hacking much easier than it already is. Password “cracking dictionaries” are easy to find and easy to use, and most bad actors can undo a company’s efforts to bolster password security with little effort on their part.

In response to weak passwords, companies have been “hashing” them, so they are more difficult to hack. Hashing is a critical security measure allowing businesses to scramble their passwords and make them tougher to hack. “Cracking dictionaries,” on the other hand, provide an easy way for hackers to un-scramble those hashed passwords. Available online, these dictionaries compile large lists of data that provide common and exposed passwords, including many versions of a password, until it’s eventually cracked.

Enterprise has security options that can help mitigate the password problem. They can monitor passwords to determine if they are strong or not, or if they’ve already been exposed in a data breach. In addition, enterprise password security can be achieved in other ways.

• Passwords should be long (at least 8 characters) and stored in strong hashing algorithms. They should also be “salted.” Salting adds a random value to the end of a password, making it more difficult for cracking dictionaries to work.

• The desire for an easily remembered password leads staff to use common words, and the misconception that it’s “unique” leads to many weak passwords.

• A company name or specific product names should never be used in passwords.

• Staff should not use ties to their personal information in their passwords.

• Staff should not use or reuse passwords that may have been compromised or exposed in a data breach.

Following these guidelines should help your organization encourage stronger passwords from employees.