A very good article on cracking passwords

[thewayne]

User passwords, particularly on Unix/Linus servers, are stored in a single file. The user name is typically stored in clear text, then the password is run through an encryption algorithm, usually with a value called a salt added to the password. But the salt is not always added, which makes passwords more vulnerable. One method of attacking such a password list is known as a dictionary attack. There are files available online that contain a BILLION passwords that have been shunt through the encryption algorithm, then it's just a matter of matching them against entries in the password file that you stole.

Ars Technica submitted a file of 16,000 passwords to three security experts, "and asked them to break them. The winner got 90% of them, the loser 62% -- in a few hours."

The attackers are now using a multiple dictionary attack. If you use a strong root word plus a designator word, you're not as strong as you thought. "Steube was able to crack "momof3g8kids" because he had "momof3g" in his 111 million dict and "8kids" in a smaller dict.
"The combinator attack got it! It's cool," he said."

Schneier goes on to suggest what appears to still be a strong password system: making up a sentence that is significant to you. It's a simple method and he explains it in the article.

http://bruce-schneier.livejournal.com/1210052.html

Comments

[silveradept]

...it still sounds like to me that the only reason we all aren't routinely and regularly hacked is because we aren't interesting enough to the hackers.