How they figure out your password
As a companion to my posts about having rememberable, secure passwords, I wanted to cover, in general, how people ("hackers") figure out your password.
Two main methods:
- They figure out a bunch of stuff about you and try logging in repeatedly to your account using those things (maiden names, birthdates, etc).
- They steal a password file and run a program against it.
- Say you go to a web site and you sign up with your name, phone number, address, username & password.
- They save it in a database.
- The password is encrypted with a "one way" encryption, meaning it can't be decrypted.
- You go back to the web site later and log in by entering the username and password.
- Encrypts the password you just entered in the same way it encrypted it when you signed up. It's still "one way."
- It takes that encrypted password, along with the username and queries the database, in essence saying, "is anyone a member here with this username and this (encrypted) password?" The passwords will match, if valid, because they both encrypt the same way.
Nearly always your password is encrypted when it is stored on servers and machines.
The system never stores your password in clear text. They *could* - some sites do - but most store them encrypted.
So, if a hacker wants your password, he has to crack it. If they steal a password file they have the encrypted form of your password.
They run a program that starts encrypted strings -- dictionary words, all the different forms of all the different dates in history (August 1st, 1887, 811887, 1187, etc), and if they still come up empty, they'll try all common names, all common pet names, things that look like addresses, celebrities, other people's cracked passwords, anything. If they are still stymied, they broaden it more and start using combinations of letters and numbers and punctuation and special characters. This brute force method doesn't even take that long nowadays but the longer the password, the harder it is to crack because they have to try more and more combinations.
- Say you go to a web site and you sign up with your name, phone number, address, username & password.
This is why the Social Networking craze is driving some security gurus nuts. People are putting their maiden names and birthdates on Facebook for many people to see. You'd be surprised and how much you can figure out from people from their blogs, too.
There is another way to steal passwords, but every password easy to hard, short to very long is susceptible: keystroke loggers. If someone is recording your keystrokes, you are in trouble. A strong 128 character password using half the ASCII table can still be stolen.
