Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Please help me understand how hackers get passwords?

Oct 9, 2015 10:04AM PDT
http://cnet4.cbsistatic.com/hub/i/r/2014/08/06/ce5921bc-f627-4aa1-aeed-e0a268127978/thumbnail/670x503/445313b68e56b77256a57e0fb1c53c18/htdcybersec620x350610x344.jpg

Please help me understand how hackers get passwords?


I read and understand that I need to have a very strong password for my accounts, especially financial and email, in order to thwart intruders. But one aspect of all this confuses me. If I incorrectly enter my password three times on some of my account, I am automatically locked out and have to contact the institution go gain re-entry. Doesn't the same apply to hackers? Or are they getting access to my password through other means? Note that I am not talking about key loggers, Trojan horses, phishing, etc. Thanks in advance.

--Submitted by Chuck G.

Discussion is locked

- Collapse -
Most helpful info here!
Oct 17, 2015 3:01AM PDT

Your post contains by far the most helpful info so far.

My favorite is "don't follow links from email" (and if I may add: don't open attachments from email if you have the least suspicion that it isn't from a really trusted party! And be as suspicious as you can!)

And, absolutely right: Use the most un-hackeable passwords you can think of and don't leave them lying around!

And, when you are on an open Wifi, don't do anything (ANYTHING, you hear?) confidential.

If you want, have strong passwords - different ones - for each critical website - banking, mail order, etc. And have less powerful ones, if you wish, for discussion forums (like this one.) There is less incentive to put a fake posting in under your name than there is to get at your money ...

- Collapse -
I use LastPass as well...
Oct 17, 2015 6:09AM PDT

It is a pain to have to use a password manager, but if you do I would also recommend LastPass. I have been using it for years now, and love the security it brings.

- Collapse -
securing PWs
Oct 17, 2015 8:13AM PDT

I agree. Use the rolodex. - I do. And use Excel with imagination to generate random numbers and letters and some non digits as well.

- Collapse -
Passwords are NOT useless-unless you make them useless.
Oct 17, 2015 9:58AM PDT

Passwords are NOT useless-unless you make them useless.

Imagine the scenario where you leave your Rolodex locked in the drawer at home while you go away for a week. You return and see that it is gone and the thieves have a week's head start. Even if it is in an office drawer over a weekend it can disappear-and in offices there are many opportunities for theft. Not to mention when you leave for lunch, forget to lock your drawer and your co-worker decides to take a gander. A desk drawer is a lot LESS secure than LastPass (and perhaps other managers).

Your passwords on LastPass are highly encrypted on their end and they are UNable to access them. Only people with your master password (presumably only you) can decode them. If you lose your master password, LastPass can NOT recover your passwords and you will have to regenerate them. LastPass (and others) will automatically generate nonsense passwords (that will not be found in a dictionary attack program) if you wish it to. You can set the length of the passwords to a size that would be able to be hacked only by years of computer power, and unless you are a known high-profile target they will not bother. LastPass will fill in your user name and password at your sites. If you wish, it will also store other information unrelated to your computer-ie your safe deposit box number, phone numbers or almost anything. It can be used on your phone and other devices as well as your desktop or laptop. It also allows for two-factor authentication which makes it much harder to hack your accounts.

- Collapse -
Regretably, we make it simple for them.
Oct 9, 2015 6:49PM PDT

Most of what HForman says covers the general realm of what hackers can do, though the Home Depot etc. attacks were more inside jobs and any passwords gathered were hashed and not in the clear.

There are 2 different classes of problems. The first, and simplest, is as HForman noted the use of dictionary attacks against weak security systems. You can buy dictionaries with tens of thousands of passwords culled from every book, movie, TV show, sports team, famous figures, pet names, etc. Not to mention "123456" and "password"!! The recent break in at Ashley Madison showed how weak most of the passwords were.

This is a problem of passwords in general. Many sites require a password of 6 but not more than 8 characters, and may or may not require multiple case and or numbers and other symbols. And that's a problem. Most people use the shortest password possible. How many passwords are "Spock1" ... "Spock999"? Quite a lot of them. But many algorithms for determining the strength of a password would say that "Spock357" is at least medium security. Even though it really isn't. Sites should allow much longer pass phrases rather than passwords. For example, the phrase "IWalkedTheDogThisMorning" is extremely secure even though it doesn't have numbers or special characters (or it was secure until someone reading this throws it into a dictionary).

Next is that we are all pretty lazy. We come up with what we think is a good password and then use it everywhere. This leads to the ability to break into a low security system (like a user forum), steal the user names, Email addresses, and passwords, and then use those to try and break into a higher security system (like facebook), and from there try and scavenge your bank information and work their way into that.

Most low security systems use a 1-way digital signature hash routine called MD5, and store that instead of your password. When you put in your password, it generates a signature and compares that to what's been stored. You cannot decrypt an MD5 signature back into the original password. Which is great, until you find out that you can buy a dictionary of millions of passwords and the MD5 signature for each (it's actually a lot cheaper just to write the code to do it yourself, and only takes about 30 lines of code to do). If they can get the hashed passwords, they can simply search and see if your password signature matches one in the dictionary. That gives you the original password, or at least a working alternate (MD5 can generate the same signature for 2 different pieces of text, but the odds are astronomically against it).

For the moment, the only thing you can do is to try and pick passwords unlikely to be in any dictionary, and not to use the same passwords for both low and high security sites. A good way is to pick a phrase and use the first letter of each. For example, "I lived a 3 Main street" becomes "Ila3Ms" This is pretty random looking, and isn't likely to be in a dictionary (except it might be now). It's easy to remember and not something you'd be likely to need to write down.

After that, use common sense. To repeat what was said early, don't send secure information over unsecured networks. Never respond to any email requesting for your password or other credentials. Beware of phishing attacks (my favorite lately is a fake Rosetta Stone email). When in doubt, go directly to your companies website or call them and ask them if a suspicious looking Email is legit.

- Collapse -
Need a much longer password
Oct 9, 2015 11:25PM PDT

"Ila3Ms" is an extremely weak password. A 7-character password will appear in a rainbow file, and will be cracked in a fraction of a second.

What I do is I have a long "salt" that I use for every password. Something along the lines of ThisIs(My*PasswordJunk. Then, I come up with some prefix for the site I'm creating the password for. For CNet it might be DMetterForumThisIs(My*PasswordJunk. Facebook might be FutreedSoshulThisIs(My*PasswordJunk. It's a nonsense word at the front, plus my junk. This makes for a long password that I have some chance of remembering, but is unlikely to fit a password guessing rule.

But, I don't rely on memory. My passwords are stored in a password manager. I rarely have to type them. I just Copy&Paste from the password manager. And, I made a rule for myself that I when I'm creating a new account I *always* type the password into my password manager and copy it from there to the website password field. That way, I can be certain that what's in my password manager matches what the website has.

- Collapse -
I have another way to come up with hard to guess passwords
Oct 17, 2015 3:11AM PDT

Great advice!

I have come up with the "song lyrics" approach, but of course you could also make it the Shakespeare Quote Approach or anything you like.

Example: A song by Francoise Hardy, many years old:

Tou les garcons et des fille de mon age se promene par les rues deux par deux (don't hit me if my French is rusty, it hasn't been used a lot, and using a language that people don't associate with you can only help.)

How do I make that into a password? Look at this:

Tlgedfdmaspplrdpd

Sventeen characters long and easy to remember if you used a song you won't forget - just the first letter of every word. Modify this if you wish - uppercase unexpected characters, us the oh so popular number substitution (pa55w0rd instead of password - in itself no longer a deterrent, but in unexpected places ...)

- Collapse -
good one
Oct 17, 2015 6:40AM PDT

this is what I do~ I have a phrase that I use, pretty much something no one would think of because it relates to something private in my life, and I use the first letter of each word,plus a few numbers. Just think of something that happened to you.

- Collapse -
Previous articles
Oct 9, 2015 8:40PM PDT
Ars Technica has a very good article from a coupla years ago. Follow some of the links for a little more info.

The short version, the hackers break into a forum or commerce website and download the user/password file. Even if the passwords are encrypted, they can be discovered. Anything under 8 characters has already been cracked, and can be simply looked up. Those "Rainbow Files" of cracked passwords also include every word in the dictionary. Plus, many common combinations of words, like sports teams. Example, DallasCowboys. One site I found says that about 30% of passwords on a given site can be found in a pre-computed/dictionary attack.

After that, with today's graphics cards, a cracker can test a mind-boggling number of guesses each second. Usually, they're trying to crack as many passwords as possible within a file of many thousands or even millions. The time to crack goes up by about 150x for each extra character, so, longer passwords are better.

Except, crackers have found common informal rules that many people use when coming up with passwords, which greatly cuts down the number of guesses they need to make. Like, ending a password with the number "1" or "99". That puts longer passwords within reach. So, if they have a particularly attractive email address that they want to concentrate on, they may be able to crack even very long passwords in the course of a few days.

So, that's the short version. Read the article. It has good information. And, it should give you some ideas for search phrases to learn more.

Drake Christensen
- Collapse -
Getting over the Rainbow
Oct 17, 2015 8:32PM PDT

So, to get past the rainbow files, the password chosen needs to be:
1 - more than 8 characters
2 - Not in the English language dictionary at any length
3 - Obviously enough, not something you've used on any other site.

you can generate these by
1 - using a random password generator (these exist free standing)
2 - using the password generator built into your password manager, e.g. LastPass
3 - the first letter of each phrase method, but this requires at least a 9 word phrase, and you have to have a "special character rule" like translating "at" into "@".

You then need to remember them. I find LastPass safer and more efficient than the Rolodex method because I use too many devices.

My workplace RSA key was once compromised by the Chinese, who hacked RSA itself to break the key. Luckily, they were after Lockheed (I hear) and not interested in smaller fish. That said, 2 factor authentication ESPECIALLY for the email you use for resets is vital. It is probably worth having an email address used for no other purpose than sensitive password resets (your bank)

- Collapse -
There are plenty of ways for hackers to gain access..
Oct 10, 2015 3:57AM PDT

Hackers can actually find many passwords quite easily. Sometimes they manage to get lucky by using password hints if you've set one. I had one friend who told me once you'll never guess my password - she said it's a catalogue firm that she used to work for in Preston - I said to her is your password Great Universal.... guess what - yeah that was her password (she quickly changed it), of course that was quite simple as Great Universal was possibly the only and largest catalogue firm in Preston - there was others but chances are if someone said they worked for a catalogue firm in Preston it was highly likely to be Great Universal!

Not only that sometimes you might have the most secure password in the world, and then use it on multiple accounts. When you put a password into a system, if the system is a good secure system it should turn your password into a code, this specific code can not be turned back into the password, and can also be generated for a few different combinations of letters - a basic example of this would be I took someones password and added the letters up to their position in the alphabet - if I did this a password of say for example abcd would equal the number 10 (1+2+3+4) ok but if someone had the password of badc - that would also equal 10. That way I can't ever go back to the right password from that code because that same number could be generated from abcd, bacd, bcad, bcda, etc... (which is why when you forget your password if it's a secure system it shouldn't be able to tell you what your password is.

The good thing with that system is that if someone hacks into the main computer that stores this password - they can't see the password - all they can see is these "hash codes" which are useless 'cos you can't really reverse them properly, this is why when Sony got hacked they were a bit worried but re-assured everyone that their passwords were safe - because all the hackers got were these codes which could turn into a number of different passwords (when you go to log in your computer turns your password into this code before it sends it via the internet and if the codes match then the password must be right - so you could actually log in to a site with the wrong password as long as you got it to generate the same code - many sites use MD5 for generating the code but also add a "salt" number which is unique to that site to spice things up a bit, so all sites aren't using the same codes for the same words.

There are though a few problems with this - firstly some firms don't use hash codes to protect passwords, some just store the password - now if you've used a password on a site that just stores the password instead of encrypting it and that site gets hacked, then it's possible that all other sites that you use the same password for could also be hacked. My sister had this done to her once - she had the same password for a number of accounts including her Sony, facebook, gmail, paypal accounts, etc, the hackers figured out her password and went through all the accounts and bought loads of games on the Sony account - since then she's ensured she always has different passwords.

Another problem is that when you sign up to an account with a site you assume that the site is all legit and going to store your password safe. There are billions of websites out there, and only so many will store your password safely, some will actually take your password and use it to see if it opens other accounts, when you register for an account on a website most of the time it asks for your e-mail address - and if it's an online email address like gmail, or yahoo or hotmail - if they're a fake website they will also try that password with other accounts to see what other accounts it opens, and even if it is a well known website sometimes hackers can take over the site and put fake login pages up, it has happened to even the big companies like Sony.

The next stage is dictionaries - if they've got this "hash code" from the website, they can't turn it back into the original password because it's impossible - but they can run it through a dictionary to find a password that it could be. A dictionary will have a list of common passwords and the codes that these passwords could produce, searching that code through the dictionary will come up with obvious passwords that might have been used, this why when making a password they always say add numbers and symbols to the password, because it makes it harder for them to search through. Going back to that example before - if I had a code of say 9 and I knew the password was 3 letters long there are a number of possibilities here - the password could be dda, ccc, dbc, or dad (there are a few more as well), but out of those 4 passwords which do you think is most likely to be the correct one, it's most likely to be dad, but changing that if we altered the password and made the a symbol the @ and we said that the @ symbol has a value of 27 - well the number we'd get then is 35 - that number now gives us a lot more possible combinations that the password could be - it could be zed.

So it's not just from your end that hackers can gain passwords, it's also from the big corporations they can hack, and it might even be they get the password from one corporation, or website and because you've used the same password across multiple websites they're able to use that across other sites.

I know you might be thinking well starting off trying to get the password just by keeping putting in one letter and incrementing it would take a long time, but hackers don't try that trick - they generally do know the password of the person they are trying to hack, also one other way of staying safe is to not use passwords of words that are found in the dictionary, or if you do change the spelling for example if your password was "telephone" try spelling it "telefone" chances are the hackers dictionary will only have telephone listed rather than the hash code for telefone which would give a totally different code - the code for those two in just plain MD5 would be:-

telephone - b9bb7e7b00a4ba1e0d15fa8b2485d8c4
telefone - 401f10c2e4cabb5f2d7c1b4aeaaa69ce

Very similar words but totally different codes.

- Collapse -
Some web sites have very poor SSL implementation..
Oct 18, 2015 4:15PM PDT

So that can be another problem on the web - also if they don't use SSL at all, but most folks know to look for the padlock in the address bar by now. If you suspect an email company is doing poorly paste their address with SSL sign on, to Qualys and it will tell you how well the web master is doing.

To avoid putting an address link here I'll just type Qualys(dot)com as a hint on how to get there.

Obviously if the site uses no SSL, your entire data session can be sniffed by the crooks, and they can see everything you doing on that site.

- Collapse -
There are MANY ways
Oct 10, 2015 6:47AM PDT

There are many ways hackers get passwords. The first and easiest is to try various "default" passwords, because a lot of people don't want to be bothered to change them. This particularly affects home and (very careless) business routers. Once you get past the router, you can just capture packets, and a lot of passwords are sent unencrypted or under easily breakable encryption.

Some hackers phish for them, sending them an email linking to a fake website that requires them to enter their name and password for a real site, like a bank. This is why you should NEVER, EVER click on a link in an unsolicited email that you don't know for sure is valid.

This also works over the phone. Some con men get it just by posing as bank personnel and just asking. Just remember -- the system administrators on the computers NEVER, EVER need your password -- they already have access to everything they need.

Then there are keyloggers. If you are careless it is possible that you have been infected by malware that records and reports your keystrokes back to a third party. Indeed, some businesses keep track of their employees' activities this way. Some of this malware will come with you to work when you move work between your home and workplace on a USB thumb drive.

Some are easily guessed. It is amazing how many people use "password," or something like 123456.

Public WiFi is always a danger. People can capture those data packets you send, which can contain login information.

There are many other ways. A dictionary search can be accomplished quickly at today's computer speeds. Brute force -- trying all combinations -- still cracks many passwords. Sometimes outside technicians are brought in to do work on servers and they obtain the root passwords, and then use these get complete control of a system -- this may be how Target got hacked. You should ALWAYS change all the passwords on systems you have allowed untrusted outsiders to work on.

Sometimes just snooping around an office will do it. It is amazing how many people write down their passwords somewhere obvious. This is how the guy in "War Games" changed his grades.

Some systems and software have "backdoors" inserted by the developers. Some of us old guys still remember the "Wizard's Password" in SendMail. These can be MUCH more cleverly concealed nowadays than that one was.

In short, there are too many ways to list -- these are only a few out of many. Generally speaking, you should never trust links in email, enter critical systems like your banking data from your home, wired network, and keep your passwords strong and well-protected. This does not eliminate all risk, mind you. Nothing will do that. But it does minimize the risk to the point where the hacker will probably need to be targeting you specifically, or getting into your data through some other point (like the bank's server).

- Collapse -
You Left Out One Option
Oct 16, 2015 11:09PM PDT

The Phishing explanation really got me. I'd heard of "phishing," but never knew exactly what it was. I often wondered if some of my emails supposedly from my bank, and other places where I do business, really were from them, and. I've always been relieved that they were immediately opened. It never dawned on me that it was a clever way to get my password by using it immediately to open my account, or a web site. Thanks a ton for listing all of these devises.

- Collapse -
not having to remember passwords
Oct 10, 2015 10:33PM PDT

I have been using software "RoboForm" for some years now.
I really like it for it creates randomly generated passwords using any or all of the character sets and up to 256 characters. I have been using a size of 16. It can auto fill and does not display the characters.

For each login a "passcard" is created containing the URL for auto seeking autofilling.

A master password can also be used, the only one you need remember.

I like to use caps and numerals only and find it frustrating when sites require special characters and/or lower case.

- Collapse -
Like vs. Need
Oct 11, 2015 12:13AM PDT

Using Roboform, you can all character sets. Why limit yourself to just upper case and numerals as it is less safe?
If all you use is upper case and numerals, then there are only 36 valid characters in your password (26 + 10). If you used a combination of all of those you mentioned, you are probably looking at a minimum character set of 256 characters from the western character set. It is actually safer to add the numbers in the middle of the password rather than the end. I have no issue using all of them. Just think of a phrase, like "I hate my wife!". Remove the spaces if the password request doesn't allow spaces: "IHateMyWife!". Notice I added both caps and a special character. Now some trickery: "I H@teMyW1fe". My best one was for a passphrase I used 154 characters. That included quotes, punctuation, spaces. Obviously it was set up for a cut-and-paste of a direct quote that nobody would associate with the passphase for this and was in a text file relating to something else entirely.
It really depends on what you are trying to protect. For example, if it is your recipe file, why bother. But if this is on an enterprise computer and the data contains PII (names, address, date of birth, telephone number, social security/tax number, etc.), well that is why we had to use multiple layers of encryption including SHA-1 for each data line and GPG at 2048 bits for the file itself with both encryption and signing where the data was real live people and real SSNs. (OPM, are you listening?).
I think part of the reason that places require exotic passwords is because if they get hacked and someone uses info from your account, it could cost the web site a lot of money to fix and pay federal fines.

- Collapse -
Whoa - you're brave!
Oct 18, 2015 4:20PM PDT

I hope your wife is not reading CNET!! Wink

- Collapse -
WEP and WPA versus WPA2 protocols
Oct 16, 2015 6:45PM PDT

I was amazed a few minutes ago to receive a popup message from my Kaspersky Total Security saying my computer is vulnerable. My ISP (iiNet in Australia) has just replaced a faulty Netcomm ADSL modem with a BudiiLite modem specially manufactured for them. Apparently Kaspersky was happy to accepted the previous one to be secure but not this one.
Their web site says "The WEP and WPA protocols are considered vulnerable. However, WPA2 (both Personal and Enterprise) is considered secure." See http://support.kaspersky.com/12050?cid=KTS_16.0#public for a lot more they have to say about Vulnerabilities of home Wi-Fi networks.
Obviously I need to blow in the ear of my ISP!!

- Collapse -
WPA2
Oct 16, 2015 9:33PM PDT

In many cases, users have both a router and an ADSL or Cable modem in one unit. A lot of people still like to have a separate box for each. The WiFi security is usually in the router. If they left you a user ID and password, you can probably fix it yourself by hitting the unit (or the router box) with the web browser and look for the WiFi security settings and set that to WPA2 (I suggest personal). Otherwise, you probably do need to call the ISP and see if they can remote to the box to set that. If you can't connect to the box at all, you may need to use an Ethernet cable instead of wireless to temporarily get around the problem.

- Collapse -
After selecting WAP2..
Oct 18, 2015 4:24PM PDT

which do you recommend? I hear AES is going to be secure longer that the other encryption scheme.

- Collapse -
I'm Just Using Personal
Oct 18, 2015 8:18PM PDT

In business, we use certificates (real ones for production; self-signed for development) and RSA tokens for two-factor authentication (token + password).

- Collapse -
I think you meant WPA2
Oct 19, 2015 7:32AM PDT

I hope we see an update to WPA2 soon. There is a cloud cracker for WPA2 which I don't like to spread the word about. But someday it will hit the news big time. For now it's usually used to get access to the internet for free and not much else.
Note: Title edited for typo by moderator.

Post was last edited on October 19, 2015 7:35 AM PDT

- Collapse -
(NT) Apologies for my dyslexia!
Oct 19, 2015 12:06PM PDT
- Collapse -
You must be referring to TKIP
Oct 19, 2015 12:12PM PDT

because that is very weak compared to AES, but I lke to hear other technicians opinions on it. I guess TKIP was an afterthought add on to WEP in a half hearted attempt to improve upon it.

- Collapse -
TKIP, AES, etc.
Oct 19, 2015 12:22PM PDT

The cloud cracker gets you in under 20 minutes last I checked.

I wish the WiFi industry wouldn't wait for Armageddon.

- Collapse -
The budii lite does support WPA2
Oct 17, 2015 10:18AM PDT

Just checked for you on the technical specifications for the budii lite - it would surprise me if it doesn't support WPA2 as it's an 802.11N router and pretty much all routers that are 802.11N support WPA and WPA2, and according to the spec it should do...

http://www.iinet.net.au/hardware/budii/budiilite/?section=specs

802.11b/g, 802.11n
up to 54Mbps (802.11g), up to 300Mbps (802.11n)
2.4 GHz to 2.484GHz Frequency
2(Tx) x2 (Rx) Internal Antennas
Security: 64/128 bits WEP data encryption, WPA/WPA2 (WiFi Protected Access)
Multiple SSID
802.11e Wireless QoS (WMM/WME)
MAC address-based access control

It's possible that it's either disabled by default, or that you have something on your network that isn't compatible with WPA2 or Kaspersky have just got the wrong information.

- Collapse -
WAP2...
Oct 18, 2015 4:33PM PDT

is almost never on by default - router manufacturers are lazy and don't like getting calls from people who don't know how to set up better encryption - so they leave WEP or similar failure on by default; if any at all!! Most of my clients get them from the factory totally insecure - including default administrative access from the web, and default access password - or lack there of, from the LAN side. Shocked

- Collapse -
(NT) Correction WPA2 - Sorry!
Oct 19, 2015 12:14PM PDT
- Collapse -
Lazyness...
Oct 16, 2015 7:13PM PDT

.. in terms of security is the main culprit. Passwords like this:
ҔRQQèkæjѺzMgTÔjdõíêEQ3ÒKӱӊÆõhӎ

are unbreakable but not many generators can produce password like that.
The first post here summed it up nicely.

- Collapse -
Password Tester
Oct 16, 2015 9:47PM PDT

Try THIS:

https://howsecureismypassword.net/

You should read the page as it IS possible that a site like this could be malicious and steal your password. What I do is come up with several "dummy" passwords, in addition to mine, and test all of them, just in case.