Press "Enter" to skip to content

How Hackers Really Crack Your Passwords

How Hackers Really Crack Your Passwords In movies, hacking is all finesse, excitement, and genius coding, but in reality its angelheaded hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery of night. — Ginsberg. Hey there Zero Cools, Neos and Seatec astronomers, Im Trace. Thanks for tuning in for some DNews. Passwords are like apples in a fictional garden, theyre perfect, ripe, and there for the taking, if you know how.

Websites have a lot of different ways to store passwords, hashing, salting, tokens, two-factor authentication — we have a whole article about it — but hacking a password? Thats a lot more fun, right? So first, for n00bs, passwords arent stored as words, but as a set of encrypted characters called hashes. They look like this. If I want to access your account, I dont really need your password, I just have to find the thing that lets me decrypt that hash!

To do that, hacker communities created lookup tables and rainbow tables — data files of common passwords that are pre-hashed. Password123 hashed is this. abcde12345 hashed, is this. If a hacker did this beforehand, and has millions of passwords, they just compare them and they can get access to your account.

And hackers can do this comparison really fast. In a test for Ars Technica, a computer could try 350 billion combinations every second! 350 billion password guesses.

Every. Second. How common does your password feel now? But companies have a weapon against rainbow tables — its called salt! Not like literal salt.

Its basically taking random chunks of code and tossing them into the hashed password. As our AP Donna says, It changes the flavor. If salted hashes are found, the rainbow tables are useless, theyll never find a match! Computers arent great at problem solving, so even this little change can fumble automated hacking programs.

Without the tables, everything takes longer. Hackers have to find out how the salt was added — beginning of each password? After the 15th character? Is it different for every user?

Then they have to figure out what the salt characters are, one encoder bcrypt puts $2a$ at the beginning of every hash… But usually, salted passwords are enough to stop a lot of hackers, because its faster to change tack and use dictionary attacks or brute force attacks — these were made famous in Mr. Robot. Dictionary attacks use wordlists to take common passwords, like Password123, and just try them out.

They salt and hash them on the fly, and compare them to passwords in the database at the speed of light. Brute force attacks are even more crazy, starting with say, aaaa salted hashing it various ways and then compare those to the database, then aaab, then aaac… you get it. They just try every possible combination. It takes FOREVER.

Sidebar: and this is why randomly generated passwords dont always help. In a 2014 study done for DARPA by a security company, half of our random passwords use the same five patterns to construct that randomization. Because nothings actually random — we have a article about it.

Hackers know this and just copy those methods and add them to the pile of known passwords. When it comes to simple text, computers are wicked fast. A hacker doing a test for Ars Technica cracked over 10, 000 passwords in 16 minutes just trying combinations at random within the password specifications less than 8 characters, capital letter, lowercase letter, et cetera. Hackers are in a constant race against time, not necessarily because the Feds are right over their shoulder like in the movies, but because once a company or agency realizes theyve been hacked, they usually adjust security and go public, encouraging users to change their passwords. Which is why hackers just hack YOU.

If youre on an open wifi network without a password, youre basically shouting your passwords for anyone listening to hear. Some hackers will set up fake Free WiFi points to get common passwords and email addresses. Still, others just use spam! If you click on a word document or link in an email, it can execute code on your computer, called malware, to copy everything you type including passwords, credit card numbers and so on and send it direct to the hacker.

And still, others pose as Facebook security, or as a representative of the bank, or as the IT department… some will CALL YOU ON THE PHONE. Never EVER give someone your password EVER. If theyre the company, they already have it! Why spend all that time hacking a server if I can just trick you into telling me your password? The moral of the story, other than hacking is crazy interesting… Is to use long, complicated passwords.

And never use the same one twice. Long passwords are harder for dictionary and wordlist-based attacks to solve quickly. Its actually less important to use Passwords where letters are numbers — but instead use a long set of words… Like correct horse battery staple or song lyrics — easy to remember, but so long it would take a hacking program years of computing time to guess!

Its sort of like that old joke about running from a bear, you dont have to have to be the fastest, you just dont want to be the slowest. If you havent check out the other article we just did about hacking and passwords, do that right here. And let us know down in the comments if you just changed your password, because I know I did after this. Thanks for tuning in to DNews, please subscribe and come back soon.

How Hackers Really Crack Your Passwords In movies, hacking is all finesse, excitement, and genius coding, but in reality its angelheaded hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery of night. — Ginsberg. Hey there Zero Cools, Neos and Seatec astronomers, Im Trace. Thanks for tuning in for some DNews. Passwords are like apples in a fictional garden, theyre perfect, ripe, and there for the taking, if you know how.

Websites have a lot of different ways to store passwords, hashing, salting, tokens, two-factor authentication — we have a whole article about it — but hacking a password? Thats a lot more fun, right? So first, for n00bs, passwords arent stored as words, but as a set of encrypted characters called hashes. They look like this. If I want to access your account, I dont really need your password, I just have to find the thing that lets me decrypt that hash!

To do that, hacker communities created lookup tables and rainbow tables — data files of common passwords that are pre-hashed. Password123 hashed is this. abcde12345 hashed, is this. If a hacker did this beforehand, and has millions of passwords, they just compare them and they can get access to your account. And hackers can do this comparison really fast.

In a test for Ars Technica, a computer could try 350 billion combinations every second! 350 billion password guesses. Every. Second. How common does your password feel now?

But companies have a weapon against rainbow tables — its called salt! Not like literal salt. Its basically taking random chunks of code and tossing them into the hashed password. As our AP Donna says, It changes the flavor. If salted hashes are found, the rainbow tables are useless, theyll never find a match!

Computers arent great at problem solving, so even this little change can fumble automated hacking programs. Without the tables, everything takes longer. Hackers have to find out how the salt was added — beginning of each password? After the 15th character?

Is it different for every user? Then they have to figure out what the salt characters are, one encoder bcrypt puts $2a$ at the beginning of every hash… But usually, salted passwords are enough to stop a lot of hackers, because its faster to change tack and use dictionary attacks or brute force attacks — these were made famous in Mr. Robot.

Dictionary attacks use wordlists to take common passwords, like Password123, and just try them out. They salt and hash them on the fly, and compare them to passwords in the database at the speed of light. Brute force attacks are even more crazy, starting with say, aaaa salted hashing it various ways and then compare those to the database, then aaab, then aaac… you get it. They just try every possible combination.

It takes FOREVER. Sidebar: and this is why randomly generated passwords dont always help. In a 2014 study done for DARPA by a security company, half of our random passwords use the same five patterns to construct that randomization.

Because nothings actually random — we have a article about it. Hackers know this and just copy those methods and add them to the pile of known passwords. When it comes to simple text, computers are wicked fast. A hacker doing a test for Ars Technica cracked over 10, 000 passwords in 16 minutes just trying combinations at random within the password specifications less than 8 characters, capital letter, lowercase letter, et cetera.

Hackers are in a constant race against time, not necessarily because the Feds are right over their shoulder like in the movies, but because once a company or agency realizes theyve been hacked, they usually adjust security and go public, encouraging users to change their passwords. Which is why hackers just hack YOU. If youre on an open wifi network without a password, youre basically shouting your passwords for anyone listening to hear. Some hackers will set up fake Free WiFi points to get common passwords and email addresses.

Still, others just use spam! If you click on a word document or link in an email, it can execute code on your computer, called malware, to copy everything you type including passwords, credit card numbers and so on and send it direct to the hacker. And still, others pose as Facebook security, or as a representative of the bank, or as the IT department… some will CALL YOU ON THE PHONE. Never EVER give someone your password EVER. If theyre the company, they already have it!

Why spend all that time hacking a server if I can just trick you into telling me your password? The moral of the story, other than hacking is crazy interesting… Is to use long, complicated passwords. And never use the same one twice. Long passwords are harder for dictionary and wordlist-based attacks to solve quickly. Its actually less important to use Passwords where letters are numbers — but instead use a long set of words… Like correct horse battery staple or song lyrics — easy to remember, but so long it would take a hacking program years of computing time to guess!

Its sort of like that old joke about running from a bear, you dont have to have to be the fastest, you just dont want to be the slowest. If you havent check out the other article we just did about hacking and passwords, do that right here. And let us know down in the comments if you just changed your password, because I know I did after this.

Thanks for tuning in to DNews, please subscribe and come back soon.

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *