If you think all of this talk about easily guessed passwords is balderdash, think again. A good number of formal and informal studies have been done to see just how good people are at picking safe passwords.
One such experiment found that out of 3,289 passwords
• 15 were a single ASCII character,
• 72 were two characters,
• 464 were three characters,
• 477 were four characters long,
• 706 were five letters, all of the same case, and
• 605 were six letters, all lower case.
The point being this: That hackers can simply sit down and guess passwords is FACT not FIC-TION. It can be done, and sometimes quite easily.
Another example of the ease with which passwords can be hacked is the Internet worm which squirmed through the net, disabling much of it, in 1988. The worm had two tactics it used to spread itself, one of which was attempting to crack user passwords. It would first try inputting the typical passwords, like login name, a
user's first and/or last names, and other variations of these. If that didn't work, the worm had an internal dictionary of 432 common passwords to try. Finally, both of these methods failing, the worm went to the UNIX system dictionary, attempting each word in turn, until something hopefully worked. As we know, the worm's method worked superbly.
By the way, if you're ever on a UNIX system and need to do a brute force attack to gain higher access, the system dictionary is very helpful. You can find it in a subdirectory called Vusr/dict." The file is called "words." You can also download this file or capture it to another computer, if you need a plaintext dictionary file for use
on other machines. < One problem with using the UNIX dictionary "straight from the box" is that the words it contains do not genuinely reflect words in common English usage. There is a high preponderance of scientific words, due to the manner in which the dictionary was constructed >
