CHAPTER 24. PASSWORD RECOMMENDATIONS 233
recommended that they include a mix of UPPER- and lower-case letters,
plus digits, plus special characters, and that they be changed frequently.
These days, passwords are almost never stored in plain text by your webhost.
Almost. Be careful who you trust.
http://xkcd.com/792/has a cute comic about this.
Instead, they store ahashof your password. The hash is also calledcypher
text. The hash is created by mixing up your password in a complicated but
repeatable way. The mixing is so thorough that it cannot be undone. When
you log in, they take the password you just entered, mix in the same way,
and check to see if the result matches the hash that was stored. If so, you
are granted permission to manage your website.
Hackers sometimes steal copies of these hash tables. Then they share them.
Once they have your hash, since the mixing cannot be undone, they try lots
of different passwords to see if they can find one that hashes to the same
value. For a short password, this takesvery little time.
24.1 Online Password Cracking
Online means across the Internet. All work is done remotely and delays are
common.
This is the most difficult path to password cracking. Each attempt must
pass across the network and be processed by the webhost. Delays make this
take a long time. It is generally not feasible to use brute-force guessing in
an online setting.
Instead, dictionary attacks are used, based on information about you, maybe
learned from your Facebook account. Who are your best friends? Your pets?
Your dates (birthday, anniversary)? Your phone numbers? Your favorite
entertainers?
24.2 Offline Brute Force Guessing
Offline means without using the Internet. All work can be done on a local
computer without any delays.
When they are just guessing, they start with one-letter “words” (including