How Do They Crack Your Password?

Mon Jan 22, 2007 3:22AM EST

See Comments (81)

Reader Rich Brozenec writes: I read your story about passwords. I have a question. Almost all my internet accounts (banks, Amazon, credit cards, etc.) have a limit on the number of password tries they allow [before timing out additional attempts]. Your story implies an infinite number of attempts using various combinations of letters and numbers, but is that really the case, or is there a way around these limits?

A little backstory on how passwords are cracked is in order. As some emailers and commenters have noted, "brute force" password cracking is probably not the most popular method by which passwords are broken. Social engineering, phishing, and other nefarious methods are actually much easier: All of these involve you willingly giving up your password to a malicious hacker through some form of misdirection and deceit. You may get a call from "your bank" with a problem on your account. Or you may get an email from "eBay" with a question about your listing... which takes you to a phony website.

The most secure password in the world won't protect you against hacking attempts like these. If you actually tell someone your password, you're out of luck.

The kind of password attacks I'm talking about when I write stories about password security and strength involve brute force attacks of various sorts. These attacks typically involve the theft of password records by various means. You read about them every day: Hackers compromise networks and abscond with user data. Or, more commonly, someone steals a laptop loaded with user records for some company or another. (User IDs are usually not encrypted and are linked directly to the hashed password.)

Most of the time, though, just having this user data doesn't mean your password is now in the hands of hackers (though if you read that a company you deal with has been victimized, you should always change your password as a matter of precaution). That's because most companies store passwords in encrypted formats called hashes. A hash is created by taking your password, applying a mathematical function to it, then storing the result of that function in the database instead of the actual password. When you log in to a website, the site runs that same math function against your password, then checks the database to see if the hashes match. If they do, you're in.

The reason hashes are secure is that they are not reversible. Say your password is daisy123; its hash may be 1b3c2c45d0a977b508f637097a94cbfb. (And in fact, it really is in one of the most common hash systems.) It's easy to go from daisy123 to the hash. Not so easy to go the other way. Thus, it's much safer to store the hash. Make sense so far?

So, what happens if a hacker knows the hash of your password? He tries out likely passwords to see if he can get a match. Again, it's easy to hash several hundred passwords per second, and eventually he'll get to daisy123, since it is, as noted in a prior article, a quite insecure password. But if your password is appropriately complex, he'll probably never be able to crack it: Having the hash will be as useless as having no information about your password.

There are copious other methods for cracking passwords (and there are even online databases of hashes that make looking up common passwords child's play), but this is the most common way, especially when cracking passwords in bulk (when you have thousands or millions of hashes to look through). It shakes out pretty much the same way every time: If a thief absconds with 100,000 user records, a relatively simple brute force attack against those hashes using common cracking software will probably net 20,000 passwords he can use.

In other words: Be safe out there.

Comments on How Do They Crack Your Password?

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 46 Posted by chrzzh7768@ameritech.net on Thu Sep 3, 2009 3:25PM EDT Report Abuse

    How or what can we do to keep hackers from getting our passwords? You told us what they do, but not what we should do to slow or confuse them causing the hackers to say, "forget it!" I'm sure they would not want to spend their minutes on a hard case. Please assist us with this information.

  • 47 Posted by mrsurgeon@sbcglobal.net on Thu Sep 3, 2009 7:28PM EDT Report Abuse

    He does not answer the question. How can a hacker attempt numerouse passwords without getting kicked off the logon page.

  • 48 Posted by toddcurley@sbcglobal.net on Thu Sep 3, 2009 10:14PM EDT Report Abuse

    I have seen those "Vault" USB type products that are suppossed to keep your passwords safe. Do they really work?

  • 49 Posted by msg_fay on Thu Sep 3, 2009 7:29PM EDT Report Abuse

    but in some sites u get logged off after 5 incorect passwords so... they cant realy use ur "hash" system ?????

  • 50 Posted by hnreed60 on Thu Sep 3, 2009 4:19PM EDT Report Abuse

    What about changing passwords periodically? Many companies demand their employees change passwords, and some have built in prompts for employees to do so.

  • 52 Posted by jcjm_30 on Thu Sep 3, 2009 4:30PM EDT Report Abuse

    I received an email from a company that included the info I needed to logon to an account. I was told it would include a temp password to login. When I opened the email it had my yahoo password as my temp pswd. How did they get my pswd which I do not SAVE?

  • 53 Posted by airtel_express2003 on Thu Sep 3, 2009 2:47PM EDT Report Abuse

    Dear, sir i want to know that a hacker how they break our password.bcoz i want to my office. i am extive in airtel and they used my laptop so pl tell the full proces of password breaking

  • 54 Posted by allanfbean02 on Thu Sep 3, 2009 2:50PM EDT Report Abuse

    oh am sorry for the previous comment, it was an erro. but this is great. my password is such a complex one and i think am safe. THANKS

  • 55 Posted by robsch05 on Thu Sep 3, 2009 8:46PM EDT Report Abuse

    none i wouldent let anyone get my password, just dont give it out to anyone not even your spouce or relative and change it often for your protection and use at least one uppercase letter and a number of some sort or one symbol. if your dum enough to give it out then u asked for it. a concerned friend of yahoo

  • 56 Posted by gpaj3669 on Thu Sep 3, 2009 4:11PM EDT Report Abuse

    I just got an e-mail the other day from my space that my password was stolen and I have to change it. It gets me so darn mad that there are people out there doing this, and getting our personal and private information. The article was very informative. Thanks

  • 57 Posted by rbrtplus1 on Thu Sep 3, 2009 8:31PM EDT Report Abuse

    I don't think this article helps most who are concerned.There isn't enough information on the preventative aspects.My password was also stolen, which didn't surprise me because it was whoo-haa a common term these days but still must be difficult to crack so to speak.They must have got my hash first.I believe this was the most informative part of this article. One thing I might add is If you have windows remember your pass word so you don't have to type it in,is the back door used by most hackers.

  • 58 Posted by bobele1 on Thu Sep 3, 2009 3:10PM EDT Report Abuse

    Article is informative, but not comprehensive. I experienced a different form of attack and I am a very cautious and computer and internet savvy person. All of a sudden, maybe through the visit of a webpage that was not "secure" I found a malicious keylogger (AKL.exe) on my laptop storing all the websites I visit including logins and passwords, and sending this stored text file via FTP to someone who opened the attatck on my computer. Since I am savvy, I noticed that there was a program running on my computer that did not belong there (ctrl alt del in processes), I immediately cheked for it and cleaned everything up not before finding the text file where all the information was stored, in the system32 folder under the file name of form.txt. I manipulated this file with some false data which was immediately sent off again. Only when I visited new webpages would this file be newly created. Just wanted to tell this story so people will be cautious out there. There are many ways to get your passwords without brute force. Hope this will be useful as a future warning and reference. Should anyone encounter this problem and needs help, please contact me. I can fix it.

  • 60 Posted by james_hearsch on Thu Sep 3, 2009 4:28PM EDT Report Abuse

    This article is great for us Layman, thank you. But their are two that asked a question that should not be answered, I'm no dummy, but some times I can spot a phoney, and their are two here.

  • 61 Posted by krisf0424@sbcglobal.net on Thu Sep 3, 2009 4:53PM EDT Report Abuse

    If you don't mind asking which two are you talking about. I think someone got my password and is reading all my e-mails and answering back and it not me. What should I do. How can I find out who is doing this. Thanks

  • 62 Posted by for_a_job@sbcglobal.net on Thu Sep 3, 2009 4:01PM EDT Report Abuse

    Basically if ya don't want to be cracked make a password completely random kolwhea419. With the 3 failed attempt comment most people use the same password for everything. so they could hack a different account and then use the password they find for the others.

  • 63 Posted by dreish1 on Thu Sep 3, 2009 3:48PM EDT Report Abuse

    How bored would someone have to be to read my e-mail?

  • 64 Posted by bestce06 on Thu Sep 3, 2009 3:05PM EDT Report Abuse

    This is very timely information. How do I get it to print? All I get when I try to print this article are the advertisements.

  • 65 Posted by sandiskboy on Thu Sep 3, 2009 9:03PM EDT Report Abuse

    Watch out for third party applications storing your password in clear text.

More Posts: First Prev 2 3 4 5 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.