Ideally, a password should be a random collection of numbers, symbols, and uppercase and lowercase letters, but few people want to waste time creating a difficult password that they're likely to forget. Instead, most choose easy-to-remember passwords that are ordinary words. To find such simple passwords, hackers have created special password cracking programs that use dictionary files (sometimes called word lists).
Figure 9-5 shows a password-cracking program called Brutus, which tries to break into a website using two files, users.txt and words.txt. The users.txt file contains a list of common user names, and the words.txt file contains common passwords. By mixing and matching different user names and passwords, Brutus can try endless combinations until it finds both a valid user name and the password that works for that user name.
Figure 9-5. The Brutus password cracker can keep mixing various combinations of user names and passwords until it breaks into a website.
A dictionary file simply contains common words that people are likely to use as a memorable password, such as names of actors, popular cartoon characters, and rock bands, Star Trek jargon, common male and female names, technology-related words, and other words found in most dictionaries.
The password-cracking program takes a word from the dictionary file and tries this word as a password to access a computer. If the first word isn't right, the program tries another word from its dictionary file until it either finds the correct password or runs out of words. Of course, a hacker can keep trying different dictionary files; if a password is an ordinary word, it's only a matter of time before a dictionary attack will find it.
To increase the odds of uncovering a password, some password-cracking programs will try not only every word in a dictionary file, but also subtle variations on each word such as spelling the word backwards or adding different numbers on the end. So even though a password like SNOOPY12 won't be found in an ordinary dictionary file, the password-cracking program can still uncover this password by manipulating each word in its dictionary file.
One of the most popular password-cracking tools is John the Ripper (www.openwall.com/john), and one of the largest collections of word lists can be found at the Wordlist Project (www.gattinger.org/wordlists), which offers lists in various languages including English, Spanish, Japanese, and Russian.
To find other password-cracking programs, visit Russian Password Crackers (www.password-crackers.com), AntiOnline (www.antionline.com), and New Order (http://neworder.box.sk).