Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Please help me understand how hackers get passwords?

Oct 9, 2015 10:04AM PDT
http://cnet4.cbsistatic.com/hub/i/r/2014/08/06/ce5921bc-f627-4aa1-aeed-e0a268127978/thumbnail/670x503/445313b68e56b77256a57e0fb1c53c18/htdcybersec620x350610x344.jpg

Please help me understand how hackers get passwords?


I read and understand that I need to have a very strong password for my accounts, especially financial and email, in order to thwart intruders. But one aspect of all this confuses me. If I incorrectly enter my password three times on some of my account, I am automatically locked out and have to contact the institution go gain re-entry. Doesn't the same apply to hackers? Or are they getting access to my password through other means? Note that I am not talking about key loggers, Trojan horses, phishing, etc. Thanks in advance.

--Submitted by Chuck G.

Discussion is locked

- Collapse -
The only problem with that is they'd also need to know...
Oct 17, 2015 10:23AM PDT

The only problem with that is that they'd also need to know your username. If that site was asking for two specific items of data like an e-mail address before they allow you to test your password then I'd question it a bit more.

Of course there is the possibility that they could monitor your IP address on the site, and find out where else that IP address has come up and what e-mail address was being used with the other sites (bit of a long winded way around to get the information and as many people have dynamic IP addresses highly unlikely to work - but it's certainly possible!)

- Collapse -
WOT helps..
Oct 18, 2015 4:38PM PDT

that is where Web Of Trust extensions help. Many anti-virus also come with web site evaluation, but WOT was the best one I've ever used. McAfee's site adviser a close second ( hate their crapware though - be warned!)

- Collapse -
true
Oct 18, 2015 8:21PM PDT

They don't ask for a user id and your IP address usually changes on the WAN side of your router with most ISPs.

- Collapse -
Your computer passwords are stored in your computer
Oct 16, 2015 10:21PM PDT

A knowledgeable hacker may be able to find your stored passwords on your computer.
For example, this article discusses where the passwords are stored in Windows 7. Here's one part of the discussion:

"Windows account details are stored in the SAM registry hive. It stores passwords using a one-way-hash (either LM Hash, which is old and weak, or NTLM hash which is newer and stronger.)
The SAM hive file is located at %WinDir%\system32\config\sam. This directory, and it parents, are by default inaccessible to non-administrative users. However it is vulnerable to offline attacks (e.g. booting a LiveCD and manually modifying the binary data. For example with the ONTPRE tool.)"

Once your computer passwords are in the open a hacker has access to everything on your machine.

And if you let your browser store your online passwords you are taking a big risk. So don't.
https://support.mozilla.org/en-US/kb/where-are-my-logins-stored#w_how-to-tell-where-your-login-will-be-stored

Storing passwords for automatic logon is another bad idea.

- Collapse -
Trusted friends
Oct 17, 2015 12:11AM PDT

When users ask how to protect themselves from password hackers they automatically think its someone in a foreign country trying to steal their identity to ultimately get your money.
Even online support workers and replies here will suggest the common encrypted password with password managers and firewalls. And then obviously using unique combinations of alphanumeric characters that you should change regularly (I mean who does that).

In reality your biggest concern is the people that already know you.
Husbands spying on wives or parents to children or even teen girl friends who suspect their friend is backstabbing them or taking their partners. Its not for their money!

Facebook just about demand you share all your details. If you don't, you'll get constant messages that your profile has not been set up fully!
One of their friendly gestures is to set up trusted friends. This is actually quite common. Again family tend to be trusted friends and so do their closest friends. Those closest friends may actually make others who are also close friends. This is the way of Facebook, friends sharing stuff (to strangers!).

As a trusted friend on Facebook, they have full ease of access to gain your password without your permission! This is actually a feature of forgotten password, and as long as you have 24hrs before the victim (your friend or family member) checks up on what's happening with their account (and who checks anyway?) Then they can gain FULL access to all your personal messages and well.. everything!

This 'trusted' identity theft is likely the MOST common of them all. I'd say its happening everywhere but no one speaks of such dishonest friendships, its just not done.
The same applies to every forum online. If you could send enough pleading emails to the forum administrator or moderator, how your original email is no more; with enough evidence of who you say are is you (when it isn't) the admin (even here) will allow this once off password reset to a totally different email that might even have the users name in it! It is not hard to do this to even strangers online.

Generally we automatically think credit card theft online with everyone confirming yes there's an S in that HTTPs website, that we forget that the other half (or more, likely more) of the time is people hack your passwords to read your private stuff. I'm sure any teen boy would LOVE to see what his girlfriend is writing in private messages - just become a trusted friend Wink

This is to help you understand how 'hackers' get passwords. And it is not talked about.
I seem to be the first here to let you know with ALL those large replies up there. No one likes to say their friends (and family) may be the 1st likely culprit.

- Collapse -
Browser stored passwords
Oct 17, 2015 12:20AM PDT

I think I am fairly safe with passwords as I have them on an SD card that I only plug in when I need it, but Firefox also stores some of my passwords. A box appears asking if I want to save the password for this site and I click yes. I'm not sure where or how Firefox stores the passwords but how secure is that? Can hackers easily get to that file?

- Collapse -
Firefox security
Oct 17, 2015 1:05AM PDT
- Collapse -
Only one browser is secure (for now)
Oct 18, 2015 4:46PM PDT

I don't remember if it is Firefox, but the one that does it uses encryption, and the rest of your post is very valid here. On all the rest they are either vulnerable, or don't bother to use encryption, and can't be configured to do so either. One could run CCleaner after every session, but that is a pain!

- Collapse -
Browser stores passwords?
Oct 17, 2015 3:20AM PDT

It is not very secure and I won't have it.

In Firefox you can go tools->options->security and take away the "store passwords" tick. You lose a bit of convenience but it's safer that way.

(Sure, it is convenient to keep a spare key under the doormat ...)

- Collapse -
Cyber-Security course
Oct 17, 2015 12:39AM PDT

Hi

If you are interested in how to really make your system secure, there is a marvelous on-line Cyber-Security course put on by the UK Open University and Future Learn at https://www.futurelearn.com/courses/introduction-to-cyber-security.

The course is completely free, takes about 3 hours per week for 8 weeks. I completed it a few weeks ago and found it very useful. It is on-line but with a useful forum and tutor feedback.

It covers your specific question about passwords, and a whole lot more.

- Collapse -
(NT) Gone
Oct 17, 2015 11:39AM PDT
- Collapse -
Not only that...
Oct 18, 2015 4:50PM PDT

but their SSL only has one domain verification - not the best SSL situation to be in!

- Collapse -
Quick answer then more
Oct 17, 2015 5:54AM PDT

Your basic question seems to be "if I lose my password how can I get back into the website securely?"

Website providers have a bunch of secure mechanisms; my favorite is sending a code to your cellphone that you have to enter into the website to get access. It's unlikely that the bad guys will hack your phone as well as your internet connection. The code only works once, so even if the hackers are watching your connection they won't be able to use the code after you do.

Other thoughts: use nonsense answers to the security questions; that way it will be hard for others to sniff them out. By all means use a password manager (and keep those nonsense answers there, too). Many password managers will help you generate great passwords as well as store them.
You will still have to remember the password for your password manager; make sure it's a great one.

- Collapse -
Passwords and stupid people
Oct 17, 2015 6:53AM PDT

I spent years working in communications , voice and data and for awhile my company was owned by IBM. Most people do in fact use the simpilest of passwords and far to many create one that they then use to access everything. Others will put a file on their computer that says "password list" or write it on the blotter on their desk. I do have one file on my computer but not only is it encrypted but it also has a tiltle that has zero to do with security or passwords. It only exists on one of my 3 home computers and is not on my tablet , smart phone or laptop. I have a 4 sheet copy of my passwords that is at my house stored away. I actually take the time to change them on a regular basis. I use a password manager to save my passwords and I never use my computer on an unsecure network unless I'm just looking at daily news at locations that require no password access. By the way when it comes to tablets and smartphones most people never read the permissions they grant when they install Apps. Many of them get full administrative control of your device , which they have access to everything. They also get permision to access all contacts and contact information. If you refuse permission most will not install. Most also access your camera and all pictures taken plus they can operate your camera at any time without needing your permission. They also prevent your device from going into sleep mode so unless you completely power it down .

- Collapse -
Speaking of IBM..
Oct 18, 2015 5:06PM PDT

They just bought out one of the best anti-keylogger, screen capture, and anti browser manipulators yet - known as Rapport. Rapport is the only product I've tested that prevents all the events tested by the utility called AKLT - Anti KeyLogger Tester.

It requires few updates, and no definitions, and can work within an infected environment in case your HIPS, AV, or anti malware cannot detect the infection. Which is becoming more an more a reality these days with all the Advanced Persistent Threats (APT) out there!

Even better it is free and can be acquired at your bank, eBay, or IBM's site as IBM end point security.

- Collapse -
Random Number Generators
Oct 17, 2015 8:52AM PDT

These are software, which anyone, with a degree, in computer sciences, or very talented hackers, can use, to defeat ANY security system. Even the Pentagon, White House, and Capital Hill.

A Random Number Generator spends all of its time sending random numbers, to a computer, until, eventually, it comes upon the correct code. It then LISTS what it has found, for the software user.

See the original "War Games" movie, with Mathew Broderick, for more detailed information.

- Collapse -
A bit more
Oct 17, 2015 9:02AM PDT

The protection against an attack by a professional with a random "number" generator is that they (and you) will be locked out after a few failed attempts. That's when the recovery mechanism involving your cellphone comes into play.

- Collapse -
Random Number Generators
Oct 17, 2015 11:37AM PDT

That is why 20 character or better passwords should be used. It would take millennia to hit the right password.

- Collapse -
That may have been true in 1995 but today? 20 seconds?
Oct 17, 2015 11:50AM PDT
- Collapse -
in a 64 character class, 20 characters would be...
Oct 17, 2015 1:19PM PDT

I know. Two decades ago an 8 character password could be solved in a few hundred billion years and computers are advancing rapidly. I promise to change my bank accounts before 50 years elapse. That should provide enough of a safety margin, even if compute speeds improve to where 20 characters in a 64 character class can be cracked within thousands of years.

- Collapse -
That's not what I've read in the cracking channels.
Oct 17, 2015 1:28PM PDT

Maybe we are wishing for 1,000 year crack times. Even WPA2 is now just a few hours no matter what the password is. How they do that is in a cloud cracker.

Passwords are pretty overrated for security but it's all we have today.

Today's cracking software uses GPUs to accelerate the crack. Your numbers sound like single CPU non-optimized time spans.

- Collapse -
Let's pray..
Oct 18, 2015 5:16PM PDT

that most web sites lock out after three tries - since I use a password manager, I don't know how common this extra step is. So far though, Lastpass is not automatically generating 20 character passwords, because most web sites won't take them anyway. In fact most of the sites I go to choke on just the encryption algorithm Lastpass uses even now. It might take 20 seconds or longer just do digest the password before logging on.