How do hackers steal passwords?

We here at Prime Insight talk about passwords quite a bit.  You may be curious about how passwords are stolen.  This will be a more technical article than most.  We wanted to include this to help demonstrate why we recommend the things we do for password security.  If this is too technical for you, then feel free to ignore this article, but please follow our suggestions for password security, and just know the recommendation comes from an understanding of the types of attack.

There are a number of ways passwords are stolen.  Generally speaking, hackers will try to steal the password database from a site they hack.  This means that when a company is hacked, the user ID and password for every account that has been registered on that site could be vulnerable.

The password database is typically encrypted.  This is usually done in what is known as a hash. Your password is entered into the site, but before it is saved it is run through an algorithm.  A simple algorithm would be the decoder disks kids play with.  Any 'A' becomes a 'C', every 'C' is replaced with 'E' etc.  So if you entered 'Secured123' as your password, it would come out as 'Ugewtgf345'  The result of the algorithm is the hash.  Only the hash is stored in the database.  The next time you visit the site, you enter your password, but the site doesn't actually know your password, it only knows the hash, so it runs your password through the algorithm again and checks the result against the saved hash result.  Now this is an example of an incredibly simple algorithm,  but it demonstrates the point.  Since I only shifted the letters two to the right, it would be easily reversible. The actual algorithms used are far more complex, and are also considered to be non-reversible.   They are too complex to be worked backwards.  Only storing the hash, makes the password database more secure.  Unfortunately, there are problems with this plan.

The problem with this plan is that the algorithm is available for others to use.  So people could try entering passwords to see the results.  Hackers use programs to try password combinations.  They run their guess through the same algorithm the site uses then compare the hash they get to all the hashes stored in the database they stole.  If they get a match then they have successfully figured out the password for that account.  This is a very time consuming process.  It is also very resource intensive.  So the hacker going this route needs some relatively high-end hardware to run this type of attack, and it might take months to get some of the more difficult passwords.  Some passwords might take long enough that the hackers give up, but not many.

What do I mean by a "more difficult" password?  In a brute force attack, the more simple the password, the sooner it will be found.  The shorter the password, the faster it will be cracked.  The less complex the password, the faster it will be cracked.  So a 5 character password of just numbers will be cracked faster than a 6 character password of numbers.  Likewise the same 5 character numeric password will likely be cracked faster than a random 5 character password of upper case letters, lower case letters, numbers and special characters.  So which is more important?  Length.  The longer the password the harder it is to crack.  It is important to have complexity, but more important to have passwords be as long as possible.

Unfortunately, hackers tend to share their results.

This has lead to better cracking software.  Programs that try making common substitutions in passwords like '@' for 'a' or '5' for 's', adding a number or two on the end of common words.  Searching for dictionary words, names, even phrases from books, movies or song lyrics.

For this reason, the best passwords are completely random.  They are as long as possible (12 characters or more is recommended) and comprised of a mixture of upper case/lower case letters, numbers and special characters.

In the last 10 years there have been easily over one billion accounts impacted by these stolen databases.  Lets say a hacker (or group of hackers) that stole a large database of passwords used the above method to try to get the passwords decrypted.  They managed to get about 30% of the passwords in less than a week.  They had more than 60% of the passwords in a matter of months.  Then they published this list of 50,000,000 passwords.  These lists of passwords and hashes are called rainbow tables.  It is from hacks like this that we get the list of the most commonly used passwords.  Those passwords are now hacked in a matter of milliseconds.  

A less sophisticated or less well equipped hacker can make use of these rainbow tables.  They don't have to go through the tough, expensive brute force attack. They simply have to compare their stolen database to a rainbow table and see if anything matches.  These types of hackers are far more common.  So if your password has ever been used by anyone else who appears in a rainbow table, it is easily hackable.  In 2014 a group of Russian hackers were found with 1,200,000,000 (1.2 billion) passwords in rainbow tables.  If the password you use is in that table, it is not secure.

So what do you do about it?

First off, use unique passwords on every site, for every account.  Make your passwords as long as you are allowed to by a site.  If the site doesn't let you use a long password, it is a red flag that they are vulnerable to attack.  This is easily managed with a password manager.  Read more here.

Secondly, for any account that allows it, enable two-factor authentication.  (More on this in a future article.)

Finally, be aware of hacks in the news.  When you hear about a company being hacked, if you have an account with them, change your password on that site as soon as possible.