Computer Security Technology Ltd

+44 (0)20 7621 7836 LinkedInTwitter

+44 (0)20 7621 7836 CSTL LinkedInCSTL Twitter

August 24, 2015

How do hackers steal our passwords?

If you enter an incorrect password into your online banking account three times, you’ll be locked out. So hackers must be subjected to these same limitations, right? Well actually, no they are not, and this misconception can create a false sense of security.

Too many people use easy-to-crack passwords because they are unaware of just how hackers manage to get into their accounts, it has been claimed.

The Hollywood image of a hacker involves a youngster (typically male, invariably wearing a hoodie) entering passwords into a user account before they magically stumble upon the right one. With most accounts shutting users out after three or so incorrect password entries, people often assume they’re safe.

False sense of security

In truth, though, the way hackers gain passwords is rather different. Security analyst Bob Covello raised this exact point on grahamcluley.com, after chatting with a 15-year old who asked “If I type my password incorrectly on a website, it eventually locks me out, but when the hackers do it, they never get locked out. How is that possible?”

Covello explained hackers obtain passwords through techniques known as offline attacks. These involve targeting entire servers, rather than individual accounts. As companies hold passwords on their servers, getting in this way provides a huge volume of account details, rather than just one set.


Offline attacks free hackers from lockout rules

Of course, these passwords are often highly protected behind a numerical calculation, or hash value, making them difficult to obtain. As recent high profile cases have shown, however, difficult is certainly not impossible. Furthermore, attacking offline in this manner means the hacker isn’t subject to the same rules of being locked out if they enter the wrong details three times in a row. Without the restrictions, hackers can run attempts via a machine to keep trying different combinations until they eventually get in.

Provided this technique is managed successfully, the hackers needn’t enter a password incorrectly even once. Armed with a database of account details and passwords, they can get in on the first attempt. The most likely scenario, though, involves the databases being sold on to third parties for criminal use.

Covello argued that simply knowing this difference could be enough to encourage account holders to use stronger passwords. It could also highlight to businesses just why their servers need to be kept firmly secured at all times – lest they run the risk of huge fines and plummeting trust.