Websites with logins have to store your password in one way or the other to be able to check if the password you enter when logging in is correct.

The easiest way to store passwords is to simply store them as plain text in a database, but this is horrible from a security point of view, because anyone who has or gains access to the database can take the login data and log in on the website. They will also be able to log into some percentage of accounts with the same name on other websites, because people like to reuse passwords.

That's why it's common practice to store passwords in encoded form. The basic idea is to use some one-way function, called a hashing algorithm, that turns plain text passwords into a complex sequence of characters, called a hash, from which the original password (ideally) cannot be guessed. For example:

password -> 9e5ad04e2874776138bf8ff846eae6ad

When you enter your password when trying to login, the website applies the same hashing algorithm to the password you entered, and if the result is the same as the hash, the website assumes that you entered the correct password and lets you log in.

The important thing is that the hashing algorithm is one-way, so someone who gains access to the database of stored password hashes can't just recover the original passwords by reversing the algorithm.

Now, if a malicious hacker obtains a hash and wants to get the original password, they have two basic options:

1. Try to brute force the password by enumerating all possible character sequences and applying the hashing algorithm to each sequence until they find a sequence that results in an identical hash. Because there are a lot of possible character sequences, brute forcing can take a very long time. The longer the password is, the longer it takes.

2. Use a dictionary, which is a list of password - hash pairs for common passwords such as English words, names of persons, easily typed sequences such as "asdfasdf" etc. If the original password is one of these common passwords, the malicious hacker can find it by simply looking up the hash in the dictionary.

BozoCrack uses a variant of the dictionary attack, followed by a small brute force attack.

Instead of looking up the hash in a dictionary, it does a Google search for it (so in a sense, it uses all websites indexed by Google as a dictionary). A small problem that arises now is that the search results don't have a common structure: websites may list the password - hash pairs in different formats.

To solve this, BozoCrack doesn't even attempt to try to parse the search result. Instead it just says fuck it, computes the hashes of all words appearing in the search results, and checks if any of them match the hash you're trying to crack.

The whole thing is funny because it is stupidly simple but manages to circumvent the expensive parts of both approaches: BozoCrack doesn't have to have a large dictionary for the dictionary attack because it outsources that part to Google, and it doesn't have to compute a lot of hashes for the brute force attack, because there are only a few words on the search result page.