Password Hacking -- HOW!

[EWyatt]

Regarding passwords. How can a hacker find a usable password to another's Internet account in a relatively short time? It takes several seconds for the accepting server to accept/deny a provided password. It would seem to take weeks to shotgun a brute-force number of passwords to finally come across the right one, even with software doing the work, right? This doesn't seem feasible. Where am I wrong?

[doG]

They've had more practice than you. Not only that, they didn't learn their knowledge in open, public forums like this one but through hidden places on the web. That's enough of a hint for now. Continue your search and if your are good enough you will find the answers you are looking for.

[swansont]

The ones that get hacked are weak passwords in systems that do not have strong protocols, i.e. systems that do not delay you with repeated incorrect login attempts. You can find lists/statistics of passwords from hacked systems (Google for them), and a surprising number are very simple passwords like 123456, iloveyou, password, and the account holder's first name.

[Realitycheck]

Gee, you'd think they would have some kind of safeguard against repeated guessing 5 times or more within a certain timeframe, or something like that. I don't know what to tell you.

[iNow]

Where am I wrong?

Mostly at the point where you chose to attempt to hack the password of someone who has not shared it openly with you.

 

What is your credit card number, by the way?

[Cap'n Refsmmat]

Generally the easiest route it to find their password via other means, e.g. steal it from another website they have an account on, since many people use the same password for every website.

[TimeContinuum]

I programmed a brute-force password hacker in grade 7. My school threatened to expel me if I didn't cut it out. You can PM me if you want I guess - what's the rules on these forums? You can send several thousand tcp/ip requests simultaneously if you want.

Edited January 11, 2012 by TimeContinuum

[swansont]

I programmed a brute-force password hacker in grade 7. My school threatened to expel me if I didn't cut it out. You can PM me if you want I guess - what's the rules on these forums? You can send several thousand tcp/ip requests simultaneously if you want.

 

The rules have a link near the top of the page, and in this post. Rule 3 is applicable in this case. Asking how people hack is OK; it's informative. Asking for or providing help in hacking is not.

 

Generally the easiest route it to find their password via other means, e.g. steal it from another website they have an account on, since many people use the same password for every website.

 

That's one of the common themes in weak password discussions. There are also phishing methods to get people to give up their passwords.

[EWyatt]

Thanks to some for the information. To the others -- I can't understand why a person cannot ask ask a simple question without being accused of underground motives. Note: I DON'T want to hack anyone or anything! I'd just like to understand how someone can throw tens of thousands of password attempts at a system effectively. My original question still stands -- and I understand the simplicity of cracking the "12345" or "iloveyou" type passwords; however, most people aren't that stupid.

[StringJunky]

Thanks to some for the information. To the others -- I can't understand why a person cannot ask ask a simple question without being accused of underground motives. Note: I DON'T want to hack anyone or anything! I'd just like to understand how someone can throw tens of thousands of password attempts at a system effectively. My original question still stands -- and I understand the simplicity of cracking the "12345" or "iloveyou" type passwords; however, most people aren't that stupid.

 

If I was running a social website that required a password I would implement a system that only allowed a very limited number of incorrect logins and then the system would be programmed to automatically lock out any further login attempts and send an email to the associated account to reset the password via a link in the email.

Edited January 12, 2012 by StringJunky

[swansont]

I'd just like to understand how someone can throw tens of thousands of password attempts at a system effectively. My original question still stands -- and I understand the simplicity of cracking the "12345" or "iloveyou" type passwords; however, most people aren't that stupid.

 

Most people probably don't get hacked, either. People are, however, lazy and forgetful.

 

 

http://www.worldstart.com/weak-password-statistics/

The analysis found that 16 percent of passwords were someone’s first name, 14 percent were simple passwords, such as “1234″ or “qwerty,” five percent were names of TV shows or movies, four percent were “password” and three percent were passwords like “whatever” and “I don’t care.” If you add all of that up, weak passwords accounted for 42 percent of all the passwords analyzed. Wow!

[doG]

Thanks to some for the information. To the others -- I can't understand why a person cannot ask ask a simple question without being accused of underground motives. Note: I DON'T want to hack anyone or anything! I'd just like to understand how someone can throw tens of thousands of password attempts at a system effectively. My original question still stands -- and I understand the simplicity of cracking the "12345" or "iloveyou" type passwords; however, most people aren't that stupid.

You can't throw 10s of 1000s of attempts at a box that uses a lockout after several failed attempts. Sometimes you can backdoor the server though that the users account is on and hack the security file where the passwords are stored. Rainbow cracks are often employed with this method. Other methods may include forcing a buffer overflow in the server to insert a background process or utilizing something like a sql injection attack to get the user logon form to misbehave. Like I said earlier, these people have a lot more practice than you at doing this. There are a vast variety of methods that may be employed and most will not involve shotgunning a brute-force number of passwords to get through.

Edited January 12, 2012 by doG

[EWyatt]

Thanks, doG..... What you suggested is indeed a way for hacks to get past the password requirements. This answers most of my concerns. Thnx again!