Mr. Das noticed that his boss entered a 5-6 digit password in his personal management project. Mr. Das noticed only 1st digit of the password. Next day he made all possible combination with 5-6 digits where the first digit was known. He used brute-force attacker software to generate and apply combination in less time. And he cracked the password.
You are free to customize input characters, password length. For example
For letters 1,3,a,t,u, some possible combinations would be
You can give input characters to limit number of words. You can also limit the length of password like if you keep password length 4 for above example then combination would be;
Why do I call it as poor hacking tactics?
A hacker never believes in Hit & Try. They search for a proper method. There is always some logic behind any step they take. I hacked locked folders and locked ZIP files too. But I never used any brute force attacker.
How to protect you from Brute-force and dictionary attack?
You can’t control people to enter password many times. But a programmer can do. Read below mentioned points which would help a programmer and user as well to avoid such attacks.
Programmer’s point of view
- Lock the account after fixed number of failed login attempts.
- Block an IP, where you get many failed login attempts from.
- You may increase interval between two logins.
- Don’t let user set password less than 6 or 8 length.
- Ask users to set password containing alphanumeric & special characters.
User’s point of view
- Password length must be more than 6-8 characters.
- Your password must not be any dictionary word.
- You must use alpha numeric & special characters in your password.
- Don’t use password like your PAN# or mob# or something that can be guessed easily.
- Change password regularly, once in a month or as per your choice.
Remember that brute force & dictionary attacks are not only the way to hack your password. The worst technique for users is keylogger and for programmer is SQL injection.