Hacker have of course long reacted to the use of passphrases. Their tools contain pre-calculated hashes for common phrasen and song titles.
Hackers have a difficult job. Therefore they employ a set of techniques to increase their chancen. This begins with applied psychology and statistics and reaches to
completely automated programs to systematically hack bank accounts or web servers.
There are many more toolkits for hacking, that automate much of the work. For each of the known or common vulnerabilities there is a program that automates
It is more worthwile for hackers to attack web sites with login-data instead of focusing
on individual users.
When they succeed, they often can salvage files or databases with user data. This happens regularly. Only the most spectacular cases appear in the news, the uncounted daily hacks are not even mentioned (according to a study by Sophos in 2012 about 30000 Webseiten were hacked daily. And this interactive infographic visualizes the ever increasing trend). Web-Services of all kinds are
affected, even large names like Yahoo, Facebook or EBay are no exception.
When you create an account with an online-service, pay attention to the following criteria:
One of the most severe mistakes on the user side of a web service is to re-use the same password on different web sites. When one of these is cracked, the Hacker can assume the users identity on ALL other sites and goes unnoticed. The necessary conclusion is to use password-manager softwar, since it is impossible to handle large numbers of cryptographically secure passwords.
At first glance, any unknown password may seem secure, but when dealing professionally with these topics (and hackers do), there appear (among others) the following, psychologically motivated Categories of passworten (with increasing entropy/security):
According to the different types of passwords mentioned above, hacker emply very diverse programs and techniques to crack web sites. Scripts and even cracking
suites are maintained to e.g. create viruses or automate much of the cracking process, while the hacker sits back and only coordinates it. Once decrypted, usernames and passwords are often not
immediately exploited but e.g. sold to agencies or other hackers. Only when an opportunity appears, they may be used, while the actual client
is unaware of this threat.
This approach is similar to the hoarding of backdoors by CIA and other secret services. Many known bugs and vulnerabilities in applications and operating systems were NOT reported to the software producers to be fixed. Instead they are stashed for possible future application. Unfortunately these troves can also be stolen by hackers and sold to the highest bidder. A large CIA package was fortunately given to WikiLeaks, where it is still being evaluated due to its volume.