Skip to main content

Passwords and system access

Unauthorized system access

User passwords and authentication policies protect the critical and sensitive data collected by your application from access by unauthorized users. Hackers — malicious users who attempt to gain unauthorized access to systems and data — employ a variety of approaches to identify and exploit weak passwords and lax security policies. The act of guessing a user's password is known as cracking.

In a brute-force attack, a hacker makes a series of attempts to crack a user's password and achieve a successful login. With a brute-force attack, the hacker attempts all possible combinations of characters one-by-one until gaining access.

In a dictionary attack, the hacker uses a dictionary — a wordlist containing known or suspected passwords — to increase the chance of a successful guess. A hacker can add entries to their dictionary by:

  • Identifying common words, such as password.
  • Spidering, or searching an organization's website to identify common terms within the organization, such as a slogan or the year the organization was founded.
  • Obtaining known passwords from a successful hack of a different site.

As a measure of security, passwords are often stored in a converted form through a process known as hashing. With hashing, an algorithm is used to generate a number, called a hash, from a text string. For example, the password password is converted to the hash 5f4dcc3b5aa765d61d8327deb882cf99.

Hashing helps to secure passwords because a hash cannot be decrypted back to its original form. Instead, a text string such as a password is hashed and compared to a previously generated hash known to have originated from a valid text string. For example, when a user sets their password, the password is stored in a hashed format. When the user attempts to log in later, the system hashes the submitted password and compares the hashed value against the stored hash. If the hashes match, the password is considered valid, and the user is logged in.

To crack a hashed password, hackers use a rainbow table attack. In a rainbow table attack, a hacker creates a lookup table containing a list of possible passwords and hashes, then compares each hash against a list of hashed passwords. When the hashes match, the hacker identifies the password from their lookup table.

Check your knowledge with the following interaction.

Password security

Many security breaches occur when a hacker cracks a weak password to gain access to sensitive data and systems. A password is considered weak if it meets one of the following conditions.

  • The password is less than eight characters long.
  • The password consists of only one type of characters, such as only letters.
  • The password is a common word or phrase, such as password.
  • The password contains repeated characters or simple sequences, such as 111 or abcdef (the first six letters of the English alphabet).
  • The password contains common character substitutions, such as @ for a or 0 for o.

If a password is strong enough, a hacker may give up before cracking the password. Password strength depends on three factors: length, complexity, and predictability.

Note: Requiring strong user passwords is only one aspect of securing an application. For a complete list of security leading practices, consult the Security Checklist awareness module and the Security Checklist for Pega Platform deployment. 


Increasing the length of a password increases the number of possible combinations to test. The maximum number of possible combinations of a string of characters is xn, where x is the number of characters allowed, and n is the number of characters in the string. If a password is four characters long and contains only the lowercase letters a-z, there are only 264 — or 456,976 — possible combinations of characters. Increasing the password length to 8 characters increases the number of possible combinations to 268, or 208,827,064,576.


Increasing the number of allowed characters also increases the number of combinations. For this reason, security policies often require uppercase (A-Z) and lowercase letters, the numbers 0-9, and special characters such as punctuation marks and arithmetic operators. If a password eight characters long can contain the letters a-z and A-Z, the numbers 0-9 and 30 special characters (` ~ ! @ # $ % ^ & * ( ) _ + - = [ ] | \ : " ; ' < > ? , . /), the number of possible combinations increases to (26 + 26 + 10 + 30)8, or 5,132,188,731,375,616‬.


Hackers often use dictionaries of common passwords, such as password, when cracking a password. These dictionaries often include variations with common character substitutions such as @ instead of a or $ instead of s. For example, the password p@$$word appears safe but is considered predictable due to the common substitutions.

Instead, use an uncommon phrase, such as my eagle swims in chicken soup. The entire phrase must be hashed to support a rainbow table attack, which decreases the likelihood of successfully cracking the password. Other strategies include capitalizing random letters in the password and using special characters in place of spaces, rather than in common letter substitutions.

Check your knowledge with the following interaction.

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

100% found this content useful

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice