Uninformed: Informative Information for the Uninformed

Vol 7» 2007.May

Poor Password Selection

When left to their own devices, users generally do not choose complex passwords[5] and tend to choose easy to crack dictionary words because they are easy to remember. Occasionally an attempt will be made at complexity by concatenating two words together or adding a number. In many cases, the word or words chosen will also be related to, or within the context of, the user themselves. This context might include things like a pet's name, phone number, or a birth date.

These types of passwords require much less effort to crack than a brute-force trial of the entire range of potential passwords. By using an optimized dictionary attack method, common words and phrases are tried first which usually leads to success. Due to the high success rate of this method, most modern attacks on authentication systems target guessing the password first before attempting to brute-force the password or launch an in-depth attack on the authentication system itself.