How Do They Crack Your Password?

Mon Jan 22, 2007 3:22AM EST

See Comments (81)

Reader Rich Brozenec writes: I read your story about passwords. I have a question. Almost all my internet accounts (banks, Amazon, credit cards, etc.) have a limit on the number of password tries they allow [before timing out additional attempts]. Your story implies an infinite number of attempts using various combinations of letters and numbers, but is that really the case, or is there a way around these limits?

A little backstory on how passwords are cracked is in order. As some emailers and commenters have noted, "brute force" password cracking is probably not the most popular method by which passwords are broken. Social engineering, phishing, and other nefarious methods are actually much easier: All of these involve you willingly giving up your password to a malicious hacker through some form of misdirection and deceit. You may get a call from "your bank" with a problem on your account. Or you may get an email from "eBay" with a question about your listing... which takes you to a phony website.

The most secure password in the world won't protect you against hacking attempts like these. If you actually tell someone your password, you're out of luck.

The kind of password attacks I'm talking about when I write stories about password security and strength involve brute force attacks of various sorts. These attacks typically involve the theft of password records by various means. You read about them every day: Hackers compromise networks and abscond with user data. Or, more commonly, someone steals a laptop loaded with user records for some company or another. (User IDs are usually not encrypted and are linked directly to the hashed password.)

Most of the time, though, just having this user data doesn't mean your password is now in the hands of hackers (though if you read that a company you deal with has been victimized, you should always change your password as a matter of precaution). That's because most companies store passwords in encrypted formats called hashes. A hash is created by taking your password, applying a mathematical function to it, then storing the result of that function in the database instead of the actual password. When you log in to a website, the site runs that same math function against your password, then checks the database to see if the hashes match. If they do, you're in.

The reason hashes are secure is that they are not reversible. Say your password is daisy123; its hash may be 1b3c2c45d0a977b508f637097a94cbfb. (And in fact, it really is in one of the most common hash systems.) It's easy to go from daisy123 to the hash. Not so easy to go the other way. Thus, it's much safer to store the hash. Make sense so far?

So, what happens if a hacker knows the hash of your password? He tries out likely passwords to see if he can get a match. Again, it's easy to hash several hundred passwords per second, and eventually he'll get to daisy123, since it is, as noted in a prior article, a quite insecure password. But if your password is appropriately complex, he'll probably never be able to crack it: Having the hash will be as useless as having no information about your password.

There are copious other methods for cracking passwords (and there are even online databases of hashes that make looking up common passwords child's play), but this is the most common way, especially when cracking passwords in bulk (when you have thousands or millions of hashes to look through). It shakes out pretty much the same way every time: If a thief absconds with 100,000 user records, a relatively simple brute force attack against those hashes using common cracking software will probably net 20,000 passwords he can use.

In other words: Be safe out there.

Comments on How Do They Crack Your Password?

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 6 Posted by moongypz_o6@sbcglobal.net on Thu Sep 3, 2009 7:26PM EDT Report Abuse

    I am so computer-illitrate, this was such good information I'll be more imaginative with my passwords knowing how they're hashed. Thank you.

  • 7 Posted by cuffee_addict on Thu Sep 3, 2009 3:32PM EDT Report Abuse

    well i had a very strong password (according to Gmail they listed it as a "6" in terms of strength..which was V.V. strong). My account still got hacked! What do you make of this? And I definitely don't respond to any of those phishing things..

  • 8 Posted by rohan_rrr1988 on Thu Sep 3, 2009 8:49PM EDT Report Abuse

    the posting was too good and very informative for our future passwords !!!

  • 9 Posted by jaredmond on Thu Sep 3, 2009 4:28PM EDT Report Abuse

    OK... The hacker runs the cracking software on the 100,000 records in the file which generates 100,000 results per brute force iteration. It doesn't know which iteration produces passwords unless he/she runs them and they work, correct? If/when the cracking software solves the password for one user/account, wouldn't that solve the password for all the users/accounts in the file, unless there are multiple encryption methodologies involved in the database.

  • 10 Posted by soxfan1957@sbcglobal.net on Thu Sep 3, 2009 9:34PM EDT Report Abuse

    PC Tools has a nice little random generating page to look at and try. http://www.pctools.com/guides/password/

  • 11 Posted by soxfan1957@sbcglobal.net on Thu Sep 3, 2009 9:34PM EDT Report Abuse

    Pctools has a website that has a random code generator for you to try out. It can be found in the windows security guide section, as well as other windows security issues. This however, does not take the place of being dilligent about making sure that you have all the current updates from microsoft.

  • 12 Posted by hw6@sbcglobal.net on Thu Sep 3, 2009 4:21PM EDT Report Abuse

    I've only had 2 threats that came from bogus PayPal emails asking me to secure my account by loggin onto their phony website with my PayPal ID and password. Both of these happened after an argument I had on a political message board on Yahoo. I wouldn't but it passed our national security administration who are allowed by AT&T to spy on their paying clients, using their phony war on terrorism as an excuse, to be behind some of these hacks.

  • 14 Posted by brittanysb123 on Thu Sep 3, 2009 3:13PM EDT Report Abuse

    Atwin_23, they have a password strength test when you sign up for yahoo....

  • 16 Posted by firststrikenow on Wed Jan 31, 2007 9:37AM EST Report Abuse

    Since the US Gov holds the 9 or 10 and above letter passwords for their use only what will we do next? Or do we have to ask Belgium for an answer?

  • 17 Posted by wsarachnid on Thu Sep 3, 2009 10:51PM EDT Report Abuse

    I think this article was pretty good at informing the general public about password security. I think that any parents out there that have read this should pass this on to thier local schools administration people because they are terrible about keeping thier computers secure. I'm just a high school senior but without putting much thought into it, i've been able to figure out most of the passwords for the whole school. This has me genuinely concerned about someone going in and messing up peoples grades and stuff. I personnally would never do that and am currently trying to help my school crack down on kids at school doing stuff they shouldn't on the computers. This article is great and should be forwarded to as many people as possible.

  • 19 Posted by becca417j on Thu Sep 3, 2009 3:04PM EDT Report Abuse

    What I don't understand is how someone can get the random 1h4d6fj... code if you don't reply to the e-mails they send you to get the passwords. My account was hacked into at Hotmail and I NEVER respond to ANYONE that I don't know because it's an e-mail I only give out to people I personally know. Is there another way they can access that code?

  • 20 Posted by roader111990 on Thu Sep 3, 2009 8:44PM EDT Report Abuse

    Very nice article and interesting, but is there a technique on how the hacker selects?... And when the hacker succeeds, what all does he get into? What is he mostly trying to get into when hacking?

  • 21 Posted by justin_brown_is18al on Thu Sep 3, 2009 4:45PM EDT Report Abuse

    thanks. i just had this happen to me on myspace. now i know how they manged to. ;)

  • 22 Posted by zeldatn on Thu Sep 3, 2009 11:00PM EDT Report Abuse

    For all those asking how to make your password more secure, try not to use any names of people, try not to use dictionary words and feel free to make the password long and complex with atleast 1 or 2 numbers at the end. Try not to use the same password for many online accounts, try not to share an important account with friends. Also on important websites make shure it says: https http+S it means it's secure. For PC users i suggest you use a firewall/Anti-Virus. Also don't go to bad websites with your firewall... like adult sites. Also don't download from websites or share-ware software programs if it's not secure. I suggest making more then 1 account if possible. This will only help you not get password theft easy... everything is possible for anybody. all it takes is enough cash to get your account from any country.

  • 24 Posted by dalejanus on Thu Sep 3, 2009 3:34PM EDT Report Abuse

    Let me add a few comments about brute force. Someone steals a laptop or breaks into a business computer or Hotmail's computers. They steal a file that contains an account number (or user name) and a password hash. The brute force method picks a starting password, applies a hashing algorithm and see if it matches the stolen hash. If no match, try other algorithms.(but the hackers may know in advance which algorithm to use) Once all algorithms have been tried, the program picks the next password to try. It does not take a powerful computer to run through a list of passwords. Start with A-Z, then AA, AB, to AZ, and keep adding from there. Once they can match the hash, they attach the password that created the matching hash to the account number/user name. Now they can log in as you and they will get it right the first time, no need to worry about 3 strikes and you are locked out. The longer the password, the more special characters or numbers, the harder to crack.

  • 25 Posted by kimea29 on Thu Sep 3, 2009 4:51PM EDT Report Abuse

    I was hacked, but it wasn't from any sources mentioned here.I'm still not sure just where it came from. I received an e-mail from a mortgage company(or so it appears to be),which told me I could get an "unprecidented 3%" and "ultimate terrorize", amongst other statements I could't understand...This person sends e-mail offering to refinance/reduce interest...but when you try to read it,and verify where it came from,it gives another address, But then it's too late...The biggest clue is...this person makes statements so bizzare...that Yahoo itself called me to warn me of the threat...This person must think I own the property I live at...even had my mail forwarded and messed with my bank account...I think I may know who this is..but I can't say right now...Be Careful !!

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.