How Do They Crack Your Password?

Mon Jan 22, 2007 3:22AM EST

See Comments (81)

Reader Rich Brozenec writes: I read your story about passwords. I have a question. Almost all my internet accounts (banks, Amazon, credit cards, etc.) have a limit on the number of password tries they allow [before timing out additional attempts]. Your story implies an infinite number of attempts using various combinations of letters and numbers, but is that really the case, or is there a way around these limits?

A little backstory on how passwords are cracked is in order. As some emailers and commenters have noted, "brute force" password cracking is probably not the most popular method by which passwords are broken. Social engineering, phishing, and other nefarious methods are actually much easier: All of these involve you willingly giving up your password to a malicious hacker through some form of misdirection and deceit. You may get a call from "your bank" with a problem on your account. Or you may get an email from "eBay" with a question about your listing... which takes you to a phony website.

The most secure password in the world won't protect you against hacking attempts like these. If you actually tell someone your password, you're out of luck.

The kind of password attacks I'm talking about when I write stories about password security and strength involve brute force attacks of various sorts. These attacks typically involve the theft of password records by various means. You read about them every day: Hackers compromise networks and abscond with user data. Or, more commonly, someone steals a laptop loaded with user records for some company or another. (User IDs are usually not encrypted and are linked directly to the hashed password.)

Most of the time, though, just having this user data doesn't mean your password is now in the hands of hackers (though if you read that a company you deal with has been victimized, you should always change your password as a matter of precaution). That's because most companies store passwords in encrypted formats called hashes. A hash is created by taking your password, applying a mathematical function to it, then storing the result of that function in the database instead of the actual password. When you log in to a website, the site runs that same math function against your password, then checks the database to see if the hashes match. If they do, you're in.

The reason hashes are secure is that they are not reversible. Say your password is daisy123; its hash may be 1b3c2c45d0a977b508f637097a94cbfb. (And in fact, it really is in one of the most common hash systems.) It's easy to go from daisy123 to the hash. Not so easy to go the other way. Thus, it's much safer to store the hash. Make sense so far?

So, what happens if a hacker knows the hash of your password? He tries out likely passwords to see if he can get a match. Again, it's easy to hash several hundred passwords per second, and eventually he'll get to daisy123, since it is, as noted in a prior article, a quite insecure password. But if your password is appropriately complex, he'll probably never be able to crack it: Having the hash will be as useless as having no information about your password.

There are copious other methods for cracking passwords (and there are even online databases of hashes that make looking up common passwords child's play), but this is the most common way, especially when cracking passwords in bulk (when you have thousands or millions of hashes to look through). It shakes out pretty much the same way every time: If a thief absconds with 100,000 user records, a relatively simple brute force attack against those hashes using common cracking software will probably net 20,000 passwords he can use.

In other words: Be safe out there.

Comments on How Do They Crack Your Password?

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 66 Posted by shiroi_yukii on Thu Sep 3, 2009 9:20PM EDT Report Abuse

    Good article of a daily issue which most ppl ignore the importance of these security. Very informative and accurate.

  • 67 Posted by chriskoszalka on Thu Sep 3, 2009 3:24PM EDT Report Abuse

    You should learn C++ then you can make your own password cracking programs with VISUAL C++. It's pretty sweet actually!

  • 68 Posted by makhfee2001 on Thu Sep 3, 2009 7:04PM EDT Report Abuse

    I agree very informative and in as much as possible simple terms. more people need to read this.

  • 69 Posted by sprintgalan on Sat Apr 19, 2008 1:22PM EDT Report Abuse

    On a similar thread my User name and Password are been used as a return email address by some mass emailer. In other words this person sends thousands of email trying to sell you something and out of those hundred of emails don't exist anymore so they are returned to the Sender. Well someone has made my personal address that Sender. How can I stop it?

  • 70 Posted by crypticellcustomerservice on Thu Sep 3, 2009 3:31PM EDT Report Abuse

    Is it true that the new RedScrambler Mark II by Crypticell has a biometric access system that no other cellphone in the world has, using the user's fingerprint to activate the cellphone? tomcryptocomm@yahoo.com

  • 72 Posted by msgrumpy951 on Thu Sep 3, 2009 7:29PM EDT Report Abuse

    Recently i was given a laptop that was previusly owned by a friend of mine who happen 2 have passed away about 1 yr ago,any way im nt very com. smart but dont have alot of $ either which brings me 2 my quest. is it possible 2 configure the administrator settings wthout atual password,i have access to most everything,but my problem is im unable 2 add anything 2 the comp. without this square popping up wanting me 2 enter the admin.password,i know somebody viewing this could hopefully have had simular dillemma.if so e-mail me at/ msgrumpy951@yahoo.com w/info on what i need 2 do.

  • 73 Posted by hip2hyppa on Thu Sep 3, 2009 4:19PM EDT Report Abuse

    Pass words work best if you encrypt them so that letters represent numbers and visa versa......endless combinations.

  • 74 Posted by marketinglmg on Thu Sep 3, 2009 7:07PM EDT Report Abuse

    We do sale hacking software! Gmail Yahoo Hotmail IOL Contact us to marketing.lmg@gmail.com

  • 75 Posted by robusa57 on Thu Sep 3, 2009 8:46PM EDT Report Abuse

    Very interesting article, especially for a guy like me who is far from being a PC expert....who knows whats going to come next. Is that easy to buy a software and make souch a bad use of it? I ask you this because, if a guy who has the ability to creat a software to crack a PW, has enough knowledge to have a very nice job, instead of doing such a bad action.

  • 76 Posted by debbiedisacco on Thu Sep 3, 2009 3:39PM EDT Report Abuse

    If I was using someone elses Laptop to check my email but did not save my password on their lap top can they get my password

  • 77 Posted by jamshaid_iqbal2000 on Thu Sep 3, 2009 4:28PM EDT Report Abuse

    Nice article... I like it too much BUT I agree with ibm_mf_pro that it did NOT answer the original question: usually get logged-OFF after THREE failed attempts??? As a new question, with all the publicity about having STRONG pass-words... why do so many sites only allow a max of 6 (yes, SIX) or 10 characters??? And, often, NO !@#$%^&*() characters??????????????????????

  • 78 Posted by rashminayak123 on Sat May 9, 2009 6:19AM EDT Report Abuse

    plz help me to crack the password plz contact me in rashminayak123@yahoo.com

  • 79 Posted by uncle_sam399 on Thu May 14, 2009 12:19PM EDT Report Abuse

    but knowing how many character is in the password , makes it easy to crack

  • 80 Posted by toddmarlindavis on Sun Nov 8, 2009 1:43AM EST Report Abuse

    you say if it's sufficiently complex it probably won't be cracked but what are the standards for complexity ie let's say they see that my password isn't in weak so what about focusing their efforts on certain combination blocks based on the advice of how weak or strong a password is instead of a bottom up look at every possibility. and what about figuring out the formula used to create the hash, especially with the bulk cracking of several thousand hashes your talking about wouldn't the probability be on their side for gaining ALL of the passwords from all the hashes they've aquired from a company??

  • 81 Posted by theherkman2552 on Sat Nov 21, 2009 1:54PM EST Report Abuse

    I crack passwords for $10 a password. Email, myspace, facebook, forums, anything. If the password can be entered from a http or https website, then it can be cracked. You can get around the number of tries by opening multiple streams. If it is online, it is only a matter of time. [IMG]http://i49.photobucket.com/albums/f253/herkman/1442124306.png[/IMG] [IMG]http://i49.photobucket.com/albums/f253/herkman/663634693.png[/IMG]

More Posts: First Prev 3 4 5 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.