How Hackers Really Crack Your Passwords

In movies, hacking is all finesse, excitement, and genius coding, but in reality it's angelheaded

hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery

of night.

-- Ginsberg.

Hey there Zero Cools, Neos and Seatec astronomers, I'm Trace.

Thanks for tuning in for some DNews.

Passwords are like apples in a fictional garden, they're perfect, ripe, and there for the taking,

if you know how.

Websites have a lot of different ways to store passwords, hashing, salting, tokens, two-factor

authentication -- we have a whole video about it -- but hacking a password?

That's a lot more fun, right?

So first, for n00bs, passwords aren't stored as words, but as a set of encrypted characters

called hashes.

They look like this.

If I want to access your account, I don't really need your password, I just have to

find the thing that lets me decrypt that hash!

To do that, hacker communities created 'lookup tables' and 'rainbow tables' -- data files

of common passwords that are pre-hashed.

Password123 hashed is this.

abcde12345 hashed, is this.

If a hacker did this beforehand, and has millions of passwords, they just compare them and they

can get access to your account.

And hackers can do this comparison really fast.

In a test for Ars Technica, a computer could try 350 billion combinations every second!

350 billion password guesses.



How common does your password feel now?

But companies have a weapon against rainbow tables -- it's called "salt!"

Not like literal salt.

It's basically taking random chunks of code and tossing them into the hashed password.

As our AP Donna says, "It changes the flavor."

If salted hashes are found, the rainbow tables are useless, they'll never find a match!

Computers aren't great at problem solving, so even this little change can fumble automated

hacking programs.

Without the tables, everything takes longer.

Hackers have to find out how the salt was added -- beginning of each password?

After the 15th character?

Is it different for every user?

Then they have to figure out what the salt characters are, one encoder bcrypt puts $2a$

at the beginning of every hash…

But usually, salted passwords are enough to stop a lot of hackers, because it's faster

to change tack and use dictionary attacks or brute force attacks -- these were made

famous in Mr. Robot.

Dictionary attacks use wordlists to take common passwords, like Password123, and just try

them out.

They salt and hash them on the fly, and compare them to passwords in the database at the speed

of light.

Brute force attacks are even more crazy, starting with say, "aaaa" salted hashing it various

ways and then compare those to the database, then "aaab," then "aaac..." you get it.

They just try every possible combination.

It takes FOREVER.

Sidebar: and this is why randomly generated passwords don't always help.

In a 2014 study done for DARPA by a security company, half of our "random" passwords use

the same five patterns to construct that "randomization."

Because nothing's actually random -- we have a video about it.

Hackers know this and just copy those methods and add them to the pile of known passwords.

When it comes to simple text, computers are wicked fast.

A hacker doing a test for Ars Technica cracked over 10,000 passwords in 16 minutes just trying

combinations at random within the password specifications (less than 8 characters, capital

letter, lowercase letter, et cetera).

Hackers are in a constant race against time, not necessarily because the Feds are right

over their shoulder like in the movies, but because once a company or agency realizes

they've been hacked, they usually adjust security and go public, encouraging users to change

their passwords.

Which is why hackers just hack YOU.

If you're on an open wifi network without a password, you're basically shouting your

passwords for anyone listening to hear.

Some hackers will set up fake "Free WiFi" points to get common passwords and email addresses.

Still, others just use spam!

If you click on a word document or link in an email, it can execute code on your computer,

called malware, to copy everything you type (including passwords, credit card numbers

and so on) and send it direct to the hacker.

And still, others pose as Facebook security, or as a representative of the bank, or as

the IT department… some will CALL YOU ON THE PHONE.

Never EVER give someone your password EVER.

If they're the company, they already have it!

Why spend all that time hacking a server if I can just trick you into telling me your


The moral of the story, other than hacking is crazy interesting…

Is to use long, complicated passwords.

And never use the same one twice.

Long passwords are harder for dictionary and wordlist-based attacks to solve quickly.

It's actually less important to use Passwords where letters are numbers -- but instead use

a long set of words…

Like "correct horse battery staple" or song lyrics -- easy to remember, but so long it

would take a hacking program years of computing time to guess!

It's sort of like that old joke about running from a bear, you don't have to have to be

the fastest, you just don't want to be the slowest.

If you haven't check out the other video we just did about hacking and passwords, do that

right here.

And let us know down in the comments if you just changed your password, because I know

I did after this.

Thanks for tuning in to DNews, please subscribe and come back soon.