Ways in which passwords are vulnerable
- Many people do not change the default password that comes with computer hardware such as wireless routers and access points, mobile phones and applications. Lists of default passwords are freely available on the Internet and are largely the first passwords tried by automated systems or motivated individuals.
- A password may be guessable if someone chooses a piece of personal information as his or her password. Such items include a student ID number, boyfriend or girlfriend's name, birth date, telephone number, or license plate number. Personal data is now available from various sources, many online, and can often be obtained by someone using social engineering techniques such as posing as an opinion surveyor or simply viewing your public social media accounts.
- A password is vulnerable if it can be found in a list of commonly chosen passwords. Dictionaries, often in computer-readable form, are available for many languages, and lists of passwords are easy to get a hold of. In tests on live systems, dictionary attacks are so routinely successful that software implementing this kind of attack is readily available.
- A password that is too short, perhaps chosen for ease of typing, is vulnerable if an attacker can obtain the cryptographic hash (mathematical function which maps values from a large domain into a smaller range) of the password. For example, computers are now fast enough to try all alphabetic passwords shorter than seven characters.