How Do They Crack Your Password?

Mon Jan 22, 2007 3:22AM EST

See Comments (81)

Reader Rich Brozenec writes: I read your story about passwords. I have a question. Almost all my internet accounts (banks, Amazon, credit cards, etc.) have a limit on the number of password tries they allow [before timing out additional attempts]. Your story implies an infinite number of attempts using various combinations of letters and numbers, but is that really the case, or is there a way around these limits?

A little backstory on how passwords are cracked is in order. As some emailers and commenters have noted, "brute force" password cracking is probably not the most popular method by which passwords are broken. Social engineering, phishing, and other nefarious methods are actually much easier: All of these involve you willingly giving up your password to a malicious hacker through some form of misdirection and deceit. You may get a call from "your bank" with a problem on your account. Or you may get an email from "eBay" with a question about your listing... which takes you to a phony website.

The most secure password in the world won't protect you against hacking attempts like these. If you actually tell someone your password, you're out of luck.

The kind of password attacks I'm talking about when I write stories about password security and strength involve brute force attacks of various sorts. These attacks typically involve the theft of password records by various means. You read about them every day: Hackers compromise networks and abscond with user data. Or, more commonly, someone steals a laptop loaded with user records for some company or another. (User IDs are usually not encrypted and are linked directly to the hashed password.)

Most of the time, though, just having this user data doesn't mean your password is now in the hands of hackers (though if you read that a company you deal with has been victimized, you should always change your password as a matter of precaution). That's because most companies store passwords in encrypted formats called hashes. A hash is created by taking your password, applying a mathematical function to it, then storing the result of that function in the database instead of the actual password. When you log in to a website, the site runs that same math function against your password, then checks the database to see if the hashes match. If they do, you're in.

The reason hashes are secure is that they are not reversible. Say your password is daisy123; its hash may be 1b3c2c45d0a977b508f637097a94cbfb. (And in fact, it really is in one of the most common hash systems.) It's easy to go from daisy123 to the hash. Not so easy to go the other way. Thus, it's much safer to store the hash. Make sense so far?

So, what happens if a hacker knows the hash of your password? He tries out likely passwords to see if he can get a match. Again, it's easy to hash several hundred passwords per second, and eventually he'll get to daisy123, since it is, as noted in a prior article, a quite insecure password. But if your password is appropriately complex, he'll probably never be able to crack it: Having the hash will be as useless as having no information about your password.

There are copious other methods for cracking passwords (and there are even online databases of hashes that make looking up common passwords child's play), but this is the most common way, especially when cracking passwords in bulk (when you have thousands or millions of hashes to look through). It shakes out pretty much the same way every time: If a thief absconds with 100,000 user records, a relatively simple brute force attack against those hashes using common cracking software will probably net 20,000 passwords he can use.

In other words: Be safe out there.

Comments on How Do They Crack Your Password?

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 26 Posted by linz318@verizon.net on Thu Sep 3, 2009 6:53PM EDT Report Abuse

    this article was so interesting i didn't get to read past the first six words. You should have some interesting pictures or words that make sense without having to use a dictionary. How Do They Crack Your Password? Mon Jan 22, 2007 3:22AM EST See Comments (27) Reader Rich Brozenec writes: I read your story about passwords. I have a question. Almost all my internet accounts (banks, Amazon, credit cards, etc.) have a limit on the number of password tries they allow [before timing out additional attempts]. Your story implies an infinite number of attempts using various combinations of letters and numbers, but is that really the case, or is there a way around these limits? A little backstory on how passwords are cracked is in order. As some emailers and commenters have noted, "brute force" password cracking is probably not the most popular method by which passwords are broken. Social engineering, phishing, and other nefarious methods are actually much easier: All of these involve you willingly giving up your password to a malicious hacker through some form of misdirection and deceit. You may get a call from "your bank" with a problem on your account. Or you may get an email from "eBay" with a question about your listing... which takes you to a phony website. The most secure password in the world won't protect you against hacking attempts like these. If you actually tell someone your password, you're out of luck. The kind of password attacks I'm talking about when I write stories about password security and strength involve brute force attacks of various sorts. These attacks typically involve the theft of password records by various means. You read about them every day: Hackers compromise networks and abscond with user data. Or, more commonly, someone steals a laptop loaded with user records for some company or another. (User IDs are usually not encrypted and are linked directly to the hashed password.) And what's up with the stupid picture of the key, you don't hack into a computer with a key. You might want to check some of your spelling in there too. good article though guys

  • 27 Posted by toughybritches on Thu Sep 3, 2009 10:18PM EDT Report Abuse

    Very good article. Only the link to a list of unreliable passwords did not work. So that list is of no value to me. Can you fix the problem please?

  • 28 Posted by bioboard13 on Thu Sep 3, 2009 3:08PM EDT Report Abuse

    just asking but why is there random ' in peoples writing?

  • 29 Posted by sakura_love444 on Thu Sep 3, 2009 9:00PM EDT Report Abuse

    Wtf are they doing?! Now more people will know how to do this and it will happen me...how intelligent of them -.-

  • 32 Posted by lavishmedarling on Thu Sep 3, 2009 4:57PM EDT Report Abuse

    All I can wonder when reading this is if "Rich Brozenec" is related to my ex-husband Jon Brozenec. LOL...small world......

  • 33 Posted by erichawks2007 on Thu Sep 3, 2009 3:55PM EDT Report Abuse

    Actually "hacking" or stealing passwords is much more simple. Search "MITM" or "Man in the Middle Attack". If you use your PC on a network, wired or wireless you are more or less vulnerable to this type of attack. There are ways to secure your network/pc against this type of attack but most are either ignorant or too lazy to do the research, they would rather have the plug and play continence.

  • 35 Posted by jill_basnett on Thu Sep 3, 2009 4:35PM EDT Report Abuse

    Are you stopping hacking into our stoff? please e mail me back

  • 36 Posted by sawbones_c on Thu Sep 3, 2009 9:06PM EDT Report Abuse

    Another common password hacking tool is to gather public information about you such as your birthday, full name, address, phone number, place of employment, and family information such as names of children. Many people will use this personal info as part of passwords. For instance if their name is Paul Smith and birthday is 01/01/50 they will create a password of PS010150, or P010150S or other variations of this data. This is especially easy to hack if the hacker collects public info on you from a variety of sites.

  • 37 Posted by mattschneck88 on Thu Sep 3, 2009 7:11PM EDT Report Abuse

    intersing stuff. now the public knows about how to chack passwords. it best not to have any senctive stuff on the computer. the auther is wirght about passwords cracking. it only a matter of time befor a hacker can find out your password. agen it best not to have the infmation on your computer.

  • 38 Posted by towboattrash34 on Thu Sep 3, 2009 10:18PM EDT Report Abuse

    ibm_mf_pro....they use a cracking program with many proxies/other ip addys....when 1 ip is blocked it uses another ip...you can store thousands of diff ip's and hundreds of thousands of passwords to use....that is the easy way... real hackers can hack without that program

  • 39 Posted by skateedgerton on Thu Sep 3, 2009 9:25PM EDT Report Abuse

    thank you for telling us how to hack peoples acounts dang you guys are retarded

  • 41 Posted by mortoncollier@verizon.net on Thu Sep 3, 2009 7:26PM EDT Report Abuse

    If I didn't know how to crack a passcode before, I've surely got it now. I'll try your method and see if it works for me as well as it does for you. Thank you,

  • 42 Posted by lamont0420 on Thu Sep 3, 2009 4:56PM EDT Report Abuse

    There really is no way of stoping a hacker from getting in to your account...Unless you dont have an account to get in too..

  • 43 Posted by jgmock1@pacbell.net on Thu Sep 3, 2009 4:34PM EDT Report Abuse

    towboattrash34, you are partially wrong. When it comes down to IP addresses banned, a hacker can only get past that if the site in question only bans the external IP address used for common internet function. Embedded in all computers in an unchangeable, internal IP address, that is more commonly banned now, since it cannot be changed by programs that change your external IP address, commonly called "IP refreshers." skateedgerton, nobody told anybody how to hack anyone. I don't see any hacking programs listed here. I don't see directions on how to use any. lamont0240 - There are ways to prevent hacking, the issue is not totally hopeless. Think of it like certain diseases. Sure, they aren't 100% purgeable, but there are remedies to lessen the chances of anyone getting one, and more remedies to ease ailments of those that do. The best way to stop hackers from getting on you is to BE SAFE!

  • 45 Posted by johns.1967 on Tue May 15, 2007 7:04PM EDT Report Abuse

    I saw a text in one of the file sections in a yahoo group. Which one, I don't remember. But perhaps someone else will, and will bring it to the attention of at least Yahoo. It simply stated that one could obtain anyones password by simply requesting it saying one had forgotten thiers. It went on to say something about putting something else in the third line, which in turn would fool the server into thinking that the person requesting the password was indeed a Yahoo employee or something or another, thus giving the hacker the information needed. I didn't think to say anything at the time, but now I'm wondering if that is truly possible and if so, what can be done to correct the situation, so this type of thing won't happen.

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.