Criminals guess passwords in two main ways. One is called a brute force attack, and the other a dictionary attack.
A brute force attack harnesses the power of computers to literally guess every possible combination of characters to a given length. These attempts are entered into the password field hoping that one will match. For example, the first guess might be “a”. The next will be “b”, then “c”, and so on throughout the alphabet. The guesses might also include single digits and symbols. Then the attempts will move to two-character passwords: “aa”, “ab”, “ac”, again going through all combinations. The guessing will go on for as long a password as can be managed.
This sounds like a lot of work. It is, but of course computers can do these computations very quickly. Nonetheless, the longer the password, and the bigger the character set (i.e., not just lower-case letters, but upper case, digits and symbols) vastly increases the guesses required. While a 4-digit numeric pin needs only a maximum of 10,000 guesses (on average, half that), a 12-character password which includes upper/lower case letters, digits and symbols represents 546,108,599,233,516,079,517,120 combinations. That is a lot, even for a computer. In fact, even using the most powerful supercomputer today would require almost two CENTURIES to guess this many combinations. There is a great site at https://www.grc.com/haystack.htm which demonstrates how greater length and complexity affect the guessability of a brute-force attack.
A dictionary attack relies on a known list, or “dictionary” of possible passwords. This will typically include all common words in a language, combinations of them, as well as passwords previously identified. The latter category is obtained from breaches of other sites – the hackers already know those passwords exist, so they are added to the dictionary.
The list used in a dictionary attack can be very large, many gigabytes in some cases. But computers can check a dictionary much faster than guessing every possible combination as in a brute force strategy. Passwords can often be guessed in a few seconds using a dictionary – if the password is in the dictionary. We will see why that is important in the next section.