General discussion

Please help me understand how hackers get passwords?

Please help me understand how hackers get passwords?

I read and understand that I need to have a very strong password for my accounts, especially financial and email, in order to thwart intruders. But one aspect of all this confuses me. If I incorrectly enter my password three times on some of my account, I am automatically locked out and have to contact the institution go gain re-entry. Doesn't the same apply to hackers? Or are they getting access to my password through other means? Note that I am not talking about key loggers, Trojan horses, phishing, etc. Thanks in advance.

--Submitted by Chuck G.
Discussion is locked
Reply to: Please help me understand how hackers get passwords?
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Please help me understand how hackers get passwords?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
There are Many Ways

Many people find passwords to be "nuisances" while others simply get confused and forget their passwords. But how do hackers get you password? There are so many ways. Here are some.

1) They Guess! One of the most used passwords, even by some "experts" seems to be the word "password". I know someone who used "12345". In fact, there are ways to do a dictionary search for passwords; if it is in the dictionary, they will find it. Oh, lockout after 3 minutes? Some people think it is true but there are ways around that depending on how it is implemented. It is very rare that you have to call on the telephone if you've actually locked yourself out.

2) How about clicking on "Forgot Password?"? Well that depends on what goes on next. In some cases, you will get a link in your email to reset your password. If someone has already hacked your email, they will see the link too. How about those questions they ask? Well, if you are a celebrity with nude photos, maybe they already have looked up your mother's maiden name or know who your maternal grandmother is? Sometimes, the answer to these questions can be found in your Facebook.

3) Then there is malware! A keylogger could have been placed on your computer to capture and upload everything you type in. Other malware can do similar things!

4) Poorly designed security systems ( a "pet peeve" of mine): Ideally, if you forget your password and the web administrator sends you an email and tells you what your password is, something is very wrong. Employees at a company should NOT have access to your passwords especially if the employees have not undergone a background check. Simple. Most passwords need to be encrypted all along the way from your computer to the website you go to. Then, the password should stay encrypted. Unfortunately, I've seen way to many web programmers who keep passwords in a flat file available to almost anyone. Including people who hack into the web site.

5) Hackers breach company security and get to the data they need!: While you may have all sorts of protection on your computer, many companies have little or no security on their systems. For example, Home Depot, Target, Niemann-Marcus, Anthem, the federal government (OPM), and others. These are all places that have been successfully hacked and information was stolen including passwords (see my comments above, passwords should be encrypted). The only thing I can suggest is to pay attention when news of a data breach happens and vow to never patronize these places again. Hopefully, some of them received large fines or a big slap on the wrist.

6) Ever put your password in while someone looks over your shoulder? I knew someone who could capture whatever you are typing in like that.

7) Public WiFi! Be careful when using public WiFi. Contrary to what some believe, unless you are using SSL (HTTPS) encryption, everything going from and to your computer over public Wifi can be read by someone sitting in Starbucks with a laptop and some readily available software. Or someone in the parking lot could be "war driving".

Cool Post-it Notes: Do you leave your passwords written down somewhere? Does anyone you don't know or trust get near to that piece of paper?

9) Phishing: I refuse to you any link that some place sends me in an email that tells me to click on the email and login to check my account! They make it very hard to tell the real email from this phony email and, once you enter your ID and passwords, they upload it and then send you to the actual website to check your account so you won't know a thing has happened.

10) Endpoint Protection: You really should have some "anti-virus" (I hate that term) or desktop security software and use it, even if it becomes a pain in the butt.

I hope some of this helps.

Post was last edited on October 16, 2015 10:53 AM PDT

- Collapse -
Thank you For The Exsplanations

The Phishing explanation really got me. I'd heard of "phishing," but never knew exactly what it was. I often wondered if some of my emails supposedly from my bank, and other places where I do business, really were from them, and. I've always been relieved that they were immediately opened. It never dawned on me that it was a clever way to get my password by using it immediately to open my account, or a web site. Thanks a ton for listing all of these devises.

- Collapse -
Easiest Thwart To Phishing

I teach this (TRY TO) all my end-users. _USE_PLAIN_TEXT when reading Email. I know Outlook has a toggle to change ALL/ANY RTF/HTML coded emails to plain-text.

What most SHOULD do but do NOT, is to 'hover' the included URL/LINKs inside ANY email, (thus revealing where you'll REALLY be taken to if/when you click) they don't play close enough attention to where the link will ACTUALLY take them. Thus in the case of reading in 'plain-text' ALL of your emails, you can see literally the actual underlying URL/LINK and where it's going to take you. i.e. While hyperlinks "look" innocent inside emails, if MOST would look underneath and the ACTUAL URL/LINK, they'd see IF there is any discrepancy if it IS a Phishing attack. (The underlying URL doesn't match the highlighted text shown.)

While I know (at first) it may _seem_ like a pain, Outlook, in my example, has a simple 'click' at the top of the "plain email" to change it _back_ to HTML/RTF. (ONE CLICK!) Of course you'd do that where there's either NO underlying links/urls, or HTML that hide the REAL link to begin with.

...other Email clients I've tried allow the same option(s) that is, to 'read' in plain-text for this very purpose and is USUALLY one click to put 'em back to HTML. (Sometimes it's difficult to read all of those fancy hyperlinks and the codes, etc...) SO ONE click and you're viewing in HTML.

Lastly, CHECK EVERY SINGLE "G00gle" search - they're getting QUITE clever at getting their phishing sites at the top of a search result. To deceive you, they cleverly CHANGE the actual URL to, for example, if you were to search for @crobat reader - and then searching for '@dobe' seems to always come up, AT THE TOP with something like '' GIVING the end-user the IMPRESSION it's an actual 'Ad0be' site. NOTE: That search result will send you to '' versus the 'real' @dobe site. And as of late, they're getting VERY good at making these phishing sites home-screen look identical the site you THOUGHT you were going to. (I purposely exchange a couple of letters for the actual letter in this post, seems these forums do NOT like you/us to use 'other' company names when posting.)

Running my own servers, do I see, on a CONSTANT AND DAILY basis, a script running from who-knows-where, (even though you can tell their IP address, it's LIKELY a Zombie on behalf of the real site/hacker's workstation via some sort of proxie they've zombied someone's machine) where they _try_ to log in from, and even THEN, they're getting clever - as I have MY system LOCK 'em out after x:xx minutes, but they instruct their scripts to run only so many times in so many minutes. (Cat-And-Mouse, ALL the time.) THEN change the location where they're coming from. (Using YET another Zombie they set up along their way when/if they get locked out.), in both those cases, (as mentioned in the article) CHANGE YOUR PASSWORDs OFTEN, even if you're as guilty as _Most_ by using the SAME passwords on _most_ sites, those passwords you use at your financial institutions, should _always_ been FAR away to even being CLOSE to those you use at the "common" sites you don't care if they 'break-in." i.e FB/Tw1tter, etc... who cares if they get those, it's the IMPORTANT ones such as your bank you need/should keep different than ALL the others.

Almost my final note, (in MY scenario) EVEN IF THEY GUESSED (their scripts found the correct password) my end-user's passwords that is, it not only doesn't let them in (there is _NO_ "shell" assigned to _ANY_ account, so they just get put _back_ to "Login:" - but then if they DO get locked out, it STAYS locked out until the end-user calls to get it taken care of - THEN I insist to the end user, "you _should_ really_ change your PW" by informing them, YOUR PASSWORD was hacked. (Some actually don't believe me no matter how many log entries you show them, that they came in from Ch1na just last night, for example.)

As far as 'remembering" all those passwords, there's MANY _very_easy_ methods to assigning your passwords, (I shouldn't mention this, but if it helps even ONE user, then I'm glad.) You can _continue_ to use the _same_ passwords on every site you visit, but use this method to make it easy to recall (in my opinion) BUT using it/them in this fashion:

In This case ALL my passwords are the exact same (_EXCEPT MY FINANCIAL SITES-!!) and I'm ONLY using this as my password to demonstrate, it's NOT my actual PW's for ANY site:

My PW's are ALL nearly identical, thus easy to recall (EXCEPT MY BANK's) and it's 'Y0URPW!' (NOTE: using a zero/number and special character) but then I simply append the site's domain-name (in SOME fashion such as: CN3T) so in this case, when I log into CNet, my PW is 'Y0URPW!Cn3t' - I have followed the 8 Character rule, used other than alpha-characters, and finally used uPPer/lOWER case combos. Even a 'brute' force attack, (if I change(d) my PW's every 6 months as always suggested, by the time H-MEDEPOT or T@rget got hacked, my PW has already been changed. Heck, just use the year/month to append for further help/reminders, i.e. 'YOURPW!Cn3t201506' - which includes in it's own way, a reminder when you changed it last and/or it's due for a change. (by the year/month you used.)

Just some FRIENDLY suggestions, and hopefully an easy way to remember ALL the PW's we need to keep in our heads and especially reading emails. (Which in mind-boggling in itself - TOO MANY to remember!) While HTML email is "pretty" - it's also "pretty" easy to deceive by hiding the "real" links/url's under what APPEARS to be natural/intended text.

- Collapse -
Great summary, on comment, though ...

passwords should stay encrypted - yes, but that is not sufficient.


If my password is "SnoopiesBirthday" and it encrypts to "XXXYYYSSSDDD" (or something like that) and someone can hack the file where your service provider keeps all the passwords then that someone only needs to send a message with the encrypted password to get past the check and never needs to know what the clear text password is.

(Remember, the password is always encrypted in the message anyway, so it is sufficient to know that version.)

In the end that just gets us back to where everything needs to be protected and encrypted, much as that is a nuisance.

- Collapse -
At the end, lack of developer's common sense

That is assuming that someone has a means to send a message directly to the service provider without passing through an 'encryption' mechanism. In theory, you would type your clear text password and when it gets to the service provider the first thing they do is to apply an encryption algorithm, which would make that 'encrypted password' useless. At the end, if that happens, it is because of lack of minimal common-sense security measures on the developer's side. In fact, any system/app should have a 'two step' encryption at the minimum. One on the user's end and another on the service provider's end, and ideally they should not be algorithms that you can reverse back to get the clear text password. That way, even if the hacker gets the final version of a 'double' encrypted password, they can't really use it. They would need at least the intermediate version, which is not stored anywhere....

- Collapse -
password making and saving

I have a simple method to generate and store passwords

1. set up excel file
2 in third column insert a series of five random numbers
3first column gets random letters
4 second column gets random non digit characters (&^%$#@)
5 forth column gets two random letters.

Thus I windup with a list of about 30 new PWs all different like:


When I need a new pw, I take an old fashioned Rolodex card, write the company name and the PW from the list then cross off that pw. I file the card in my old Rolodex file alphabetically so I can find it easily but it is NEVER stored on any electronic media.

Once I printed out my random list, I go back and scramble all the entries and then delete the excel file.

- Collapse -
Some clarification here..

A lot of people don't know that malware can scan you drive and in seconds discover any credit card or other information, and guess which numbers are likely credit cards, SSN#s, and passwords. This gets shipped off the the criminal's data base for later use if need be.

I've used test scanners that do the same thing the malware does and it cannot decipher any of this information from my password manager's vault, now that I block all browsers to password saving, and form filling information. CCleaner can also delete form filling information if that works for you.

So no - the crooks do not necessarily need a keyboard logger, or Trojan horse exactly, or phish you in the email; all they have to do is deposit a scanner that is undetectable for just a few minutes to get the job done. No anti-virus or anti-malware can do all that is needed to protect you - a good HIPS can go a long way into adding to this defense, as behavior such as this could possibly be detected by behavior analysis and a good Host intrusion Protection System. HIPS do not rely on definitions to each malware, so they have an advantage in this area. CNET has many of these reviews on site - just go by the user reviews to see which are best.

If you are lucky MBAM will block the web server trying to receive this information from your computer, but the bad guys keep getting new addresses every hour of the day, and like I said, you can't rely on any one rivet in your armor of PC defense. It takes a defense in depth to come any where near something resembling good security practices.

Other post here will cover other good practices needed for this awareness.

- Collapse -
Not usually...

Usuually the encrypted password is no good for logging in. The normal login steps are:
You submit your password (over an encrypted link)
The host system encrypts it via a one-way encryption algorithm (i.e. if you know the encrypted p/w you can't work out the clear text p/w)
The host system compares the encrypted p/w with the previously stored encrypted p/w. If they match you have passed p/w authentication and are logged in.

Hackers can penetrate this method by finding, as Gerrd says, the file of encrypted passwords on the system. They can then apply their computing power and time to seeing if any of the encrypted passwords match their database - they can maintain and generate huge databases for this purpose. Usually they can find some or many easily detected common passwords (e,g 'password', 'passwyrd', '1234567890', etc.) and then move on to more complex patterns involving dictionary words and even common patterns of random letters and numbers - human beings are quite predictable in their behaviour.
Our best strategies for defeating them are:
1. Use long (e.g. at least 10 characters) passwords.
2. Use random strings of mixed upper and lower case letters, numbers and 'special characters' (the other punctuation marks and symbols on the keyboard)
3. Use different passwords for different sites
4. Change the passwords regularly - more often for the most critical sites where personal information and money are protected!

To keep track of these passwords you need a password manager tool. I use KeePass - others are available. They usually have a password generator included, helping you to generate very long and complex passwords.

Whether this helps to protect your private information from our 'friendly' governments I know not.

- Collapse -
Not Exactly

The connection is made to SSL. You enter your user info and password in plain text. The website (on your PC) encrypts the password and then sends that to the website remembering that the entire thing is also encrypted by SSL. That is, the unencrypted password never is transmitted to the server. That part is done on your PC. Remember that this is not a case of an interactive PC. Any webpage is created by a computer program running under your browser in HTML or JAVA, etc. When you click "login", the information you entered gets encrypted before it gets transmitted. Otherwise, the developer would be in trouble with federal law, in many cases. You never want an unencrypted password to travel over the Internet ever.

- Collapse -
And the Poodle.
- Collapse -
You have the sequence incorrect

The only encryption done on the client side is the SSL connection. The encryption done to compare against the login info is done entirely on the serve. If it were done on the client side then it would not be secure. Because then, if an attacker gets the password file he never needs to bother decrypting it. He can just use it as-is and spoof the login message.

The protection of the plain text password on its way to the server is SSL.

- Collapse -
Encrypted form of pwd is not enough

Just having the encrypted form of the password isn't enough for a hacker - at least, not at that stage. There are databases available for hackers (and anyone, really) to then search the encrypted characters for their text equivalent.

This works well, so long as the password used dictionary words, normal date formats, names, etc. It doesn't work on passwords like #j7Ep[2*w4X@ because it is highly unlikely that it would be in the database.

If you only have the encrypted form of the password, you can't do anything with it (other than trying to get the text equivalent as above). However, if hackers already got into the database to get that encrypted password, there are a host of issues to worry about.

- Collapse -
Not That Easy to Do

Unless you know how to format and send your own messages, it is not that easy to insert the encrypted password into the message. You can't just go to the login screen and use the encrypted password instead of the unencrypted one as the software will try to encrypt it. Also, not only do you have to insert the encrypted password into the message, the entire message has to be encrypted through SSL which (hopefully) the banks are probably using correctly. So, you would need to capture the message and decrypt it, since it is in SSL. Find the encrypted password and then create a new logon message to insert the encrypted password into and then encrypt the whole message with SSL.

- Collapse -
Isn't SSL dead yet?
- Collapse -
Not Yet Pushing Up Daisies

Browsers like Firefox tend to go with the newer secure protocols. However, if it hits an SSL 3 site, it pops up an error message that it can't connect. According to the help, there are still sites using SSL 3. Browsers should be using TLS. Thanks for pointing that out.

- Collapse -
The password is encrypted on the server

Having the encrypted password on the client side cannot be used as-is. I think someone else on her has already listed the steps, but here it is, again.

User provides the password in plain text. It is encrypted by SSL and sent to the server. At this point, the client cannot influence the process any further. The message arrives at the server and is decrypted from SSL back to plain text. It is encrypted there, by the server, and compared to the username/password record.

So, there is no way to pass the encrypted password to the server in any way that will be compared to the login info directly. The server will always treat that incoming message as it comes out of the SSL pipeline as plain text and encrypt it prior to the comparison.

- Collapse -
There is one main way

use a password manager

but still:

1) Guess: use a password manager
2) Forgor password: encourage your provider to use two factor
authentication for reset (use cell phone message)
Security questions: use a security question manager
( NEVER answer truthfully.
3) Keep your anti-malware up-to-date or use something other than Windows
4) admins with passwords: Just say "No!" Sad
5) Hackers breach security: NEVER NEVER NEVER use the same passwords
on different sites. Use a pw manager that forces you to use different
6) Observation: Use a good password manager. If someone sees this:
and they can remember it, well, good luck with that.
7) public wi-fi: Don't. Just wait.
8 ) auto-emoticons: Turn 'em off
Post it notes: If you can type it off a post-it, the password is
too simple. Try typing gt5UosUb/flF2E3w correctly.
9) Phishing: Don't click through to sensitive sites. Use bookmarks or
type it yourself
10) Yes, use anti-malware/endpoint protection/anti-virus software

- Collapse -
Strange Passwords may not be good enough!

Unfortunately, even using a password like the one in your message,
gt5UosUb/flF2E3w, can be remembered by using words associated with the string, like:
go to 5 Unusual old style Universal businesses slash find 1 Friend 2 Eat 3 wheaties.
Of course, most people will use shorter passwords, making it even easier to capture.

The better way is by using biometrics, such as fingerprint readers, or retinal scans, such as the ones used in the new Microsoft Lumia Smartphones. Also, two factor authorization is a current method which is quite secure. I have been using it for several years, with PayPal and eBay. Way back then, they offered the encryption device for free!
I keep it on my keychain and although it does add an extra step, mine has never been compromised.

- Collapse -
Fingerprints are a dead end. Can't change them.
- Collapse -
Fingerprints are Alive

While it is true that your fingerprint can be copied, there is no reason that you have to use your thumb, pointer or index fingers on either hand! Why not use your pinky, or your ring finger? These are rarely used and anyone trying to compromise your system is going to look for index or pointer fingerprints!
If you are leery about using fingerprints, then wait until the Lumias from Microsoft hit the market next month, since they will have true retina scanning capability!

- Collapse -
Biometrics are not the end-all

You misunderstand the problem.

When you use your fingerprint at a given site, your fingerprint is being digitized, which essentially makes it a password. If, at any point, that data is compromised, (and, we all know, it will be,) your "password" is now compromised forever. And, any particular finger will have been used on 1/10th of your sites. They may gain access to a lot of important sites before you find out that you've been compromised.

So, yeah, you can use different fingers. And even retinas. But, eventually, you'll run out of body parts. And you have no way to create new "passwords."

On top of that, are details like which technology is used to capture the fingerprint. A capacitance fingerprint reader will produce a different signature than an optical reader. I suspect that even different readers of the same technology will often produce incompatible signatures. Are we going to build multiple reader technologies into each device, for people who log in from different places?

I'm pretty sure that biometrics will always remain a niche technology. There are some situations where it makes a lot of sense. But, it's inappropriate for widespread use.

- Collapse -
Daffy shows us why it's a one and done solution.
- Collapse -
PayPal Has Never Been Compromised???

Don't be sitting back believing that!

This isn't THAT long ago, either.

Sooner or later, thanks to a dEaD SnowDEAD, the Russians will have all of our information - Don't worry, it won't be long before we have all of theirs, too.

- and think of this, (he's currently hired as their "Russian Counterpart" to being an Engineer for the Russian FBook equivalent, or WAS) - now I ask you; If you were from ANY other Country, would _YOU_ trust dEaD SnowDEAD with YOUR data?

From Russia or ANY country for that matter - trusting him is like agreeing to: "Heads-I-Win, Tails-You-Lose! Yeah, he's one TRUSTWORTHY and Patriotic "Pal" I'd like to have a beer with. (Not!) dEaD, show us how it's really done - you know, don't you? (Things are already changing on your surprised Benedict Arnold anniversary, aren't they? But you don't mind sharing this sort of information with us now, do you? You've shared it all with China, and Russia, now how about helping us poor fellas here back where you _used_ to be trusted and ended up becoming a traitor, ANYWAY?!

- Collapse -

Yes, but those users were not using two factor authorization.
If they were naïve enough to just use a password, then Caveat Emptor.

- Collapse -
Bad Addy

Post was last edited on November 9, 2015 3:58 PM PST

- Collapse -
Re: Bad Addy
- Collapse -
Hacked passwords

There are many ways to get your passwords. Looking over your shoulder, taping your wireless access when you are on an non encrypted wireless network and then logging on to a non secured site, all the way to getting a key logger installed on the computer you are using. If you have only one pw for all sites, then they can log in as you, anywhere.

This is why proper pw use includes multiple passwords each for different sites. Just so you know, I only touched on a few ways, there are many more.

- Collapse -
More often than not, they ask you

They pretend to be someone they're not and get you to hand over your password. Usually in the form of a legitimate-looking email from a company that you frequent. Once I emailed a strong complaint to dropbox because they sent a legitimate email with a link for me to sign in to see the updated TOS. They should know better.

- Collapse -
Passwords are useless

No matter how long or complex your password may be, it can, and will be, hacked. I'm afraid you just have to live with it. And, whatever you do, do not trust a password manager: Buy yourself a Rolodex (yes, they still make them) and then keep the Rolodex locked up in a desk drawer.

- Collapse -
Absolute Rot!

It may be that "No matter how long or complex your password may be, it can, and will be, hacked."
But THAT is NOT a good reason to NOT use good passwords, and to say so is straightforwardly irresponsible.
To use a good password manager IS important, especially if you have 100+ passwords to remember. Yes, someone who REALLY wants to subvert all your efforts, just MIGHT be able to beat your system (and might not), but the REAL point is, if you make it tough enough most hackers simply won't bother.
- I have the best part of 300 passwords and I use LastPass.
- I use mostly 16 part complex passwords (but some less than 16 because of poor password management by quite a lot of stupid, poorly educated, LARGE(!), companies.)
- And I'm not about to challenge anybody to try to get into my system, because (I guess) maybe they can.
- BUT I make it tough! AND since most of my stuff is almost completely unimportant, I believe I am pretty safe.
MY advice is:
1. USE a good password manager,
2. LEARN good password habits: ie Don't tell anyone; Don't write them down; And REMEMBER a good password for your password Manager!
3. NEVER click on an address that comes to you via an email. NEVER open ANY of your accounts from an email. ALWAYS go to a new tab and open a site, using your password manager.

CNET Forums