What you’ve described is called a “brute force attack”, and you’re quite right; it’s a rare system that allows such an attack to proceed past the first few errors.
However, hackers have other options.
Become a Patron of Ask Leo! and go ad-free!
Simple brute force
As you said, this type of attack involves the hacker trying to log in using your user ID with every possible password in turn.
Most good systems note that the same person has tried to log in unsuccessfully too many times and lock the account, either for a few minutes or an extended period of time. A brute force attack is most often attempted using a computer, so locking the account for just a few minutes makes even the fastest automated attack impractical.
But to be honest, even when systems are operating at full speed, the log-in process is usually slow enough on its own to make this type of brute force attempt impractical anyway.
Targeted brute force
You’ve probably seen those reports that come out every year revealing the top 100 most popular passwords. We use it as an example of how awful these popular passwords really are.
Don’t use them.
But those lists are just the top 100. Hackers can and do “stack the deck” by taking the top 1,000 or 10,000 or 100,000 passwords and trying them in order of popularity. Given how many people use bad passwords, it’s worth the hackers’ time to try them, even if there are periodic delays.
Just the top 1,000 passwords tried against a large number of accounts will probably get them access to a surprisingly and depressingly large number of accounts.
But there’s a very practical and reasonable way for hackers to try every possible password. They do it by stealing user account databases.
How passwords are stored
We need to focus on an important definition before we proceed.
I’ve talked and written before about how most services store your password. They create what’s called a hash of the password.
Think of a hash as a kind of a one-way encryption that can’t be undone. You can create a hash from a password, but you can’t get the password from the hash. And it’s statistically impossible1 for two passwords to generate the same hash.
When you set your password, the service creates the hash associated with it and stores the hash, not your actual password.
When you log in, the service again creates the hash of whatever you typed in as your password. It compares this hash with the hash it created when you set your password. If those two hashes match, then you must have typed in the same password this time as you did when you created the password in the first place.
In other words, if the hashes match, you typed in the right password, and the system allows you to log on.
Databases of passwords
Now that we’ve seen how passwords are stored, we can look at how hackers leverage that approach to their advantage.
You’ve probably heard about various data breaches at large companies. A hacker gets in and gains access to things they’re not supposed to.
One of the goals of most of these breaches is to get a copy of the user account database. That’s the list of user IDs and password hashes. Once they have a copy of that database, they can go to work.
Later, on their own computers, and at extremely high speed, they literally try every possible password. With each attempt, they create the hash; then they see if it’s in the database they just stole. If it is, they now know the password for the user account that had that hash; it’s the password that created the hash like they just did.
This is where password length and complexity come into play.
It’s currently feasible to try all possible eight-character passwords in a short amount of time. That’s why most industry experts now say 12 characters is the new minimum length of a password. The amount of time required to try them all increases exponentially each time you add a character to the length. It’s just not practical for hackers to try all possible 12-character passwords today. It would take years, even with the best equipment.
So, yes, there are absolutely scenarios where hackers can and do try all possible passwords. They just don’t do it by trying to log in with each one. Using those stolen user account databases, they work offline to figure out your password’s hash. When they later arrive at the log-in screen, they know exactly what to type in, and only need one try to get into your account successfully.
It all comes down to good passwords
The lesson here, of course, is to choose long, complex passwords. The longer the better, in fact. I now use passwords with 20 random characters whenever I can. I let LastPass create and remember them for me.
Yes, it’s possible that even those can be compromised by malware such as keyloggers, which is why I also advise adding two-factor authentication to your important accounts. With two-factor authentication enabled, even knowing the password isn’t enough to get in.
Podcast audio
Download (right-click, Save-As) (Duration: 7:06 — 3.3MB)
Subscribe: Apple Podcasts | Android | RSS
“on their own computers, at extremely high speed, they can literally try every possible password.” Wouldn’t it be more common that the hackers would use rainbow tables (tables containing the hashes of pre-generated password/hash combinations). as it seems like a brute attack on a database would take millions or billions of years to get a few passwords.
Using a salted hash (sounds like a generic name for Spam 🙂 ), which to my understanding is kind of a double encryption, would defeat the rainbow tables, or at least slow the hackers down considerably to give the victims of the hack time to change their passwords before the passwords are cracked.
Rainbow tables(*), for purposes of this discussion, can be considered “trying all possible passwords”. 🙂 Also, rainbow tables become impractical once again as the password length increases (I think even hitting 9 characters might be enough, but 10 for sure – for now). Brute attacks for all possible 8 character passwords are very doable today even without rainbow tables. And let’s face it, it’s a kind of brute force attack that generates a rainbow table, after all.
Salted hashes eliminate the usefulness of rainbow tables, unless the salt(**) can be determined. A good salt is most definitely best practice.
(*) Rainbow table: a simple table of all hashes for all possible passwords. Compute the entire table once for each common password hashing method, and rather than trying every possible password you simply look up the hash in a rainbow table to determine the password that goes with that hash. Impractical for long passwords, hence another reason for long passwords.
(**) “Salt” is something that’s added to a password before it’s hashed, thus changing the resulting hash. For example if you provide password 1234 and the system adds a salt of “askleo” then the string that gets hashed is “1234askleo” which is different than the hash for plain old “1234”. As long as the salt (which can also be algorithmic rather than static) is kept secret, then the attackers don’t really know the entirety of your hashing algorithm, thus making the brute force attempt significantly more difficult.
You failed to describe how a person would add a “salt” to a hash/password.
Actually Leo did explain how websites create a salted hash in a comment to this article:
A good salt is actually a bit more complicated. As it uses an algorithm to create a unique “salt” for each password.
It’s not something a person does. It’s part of the storage algorithms used by whoever is maintaining the database of passwords.
You mention that the computer receiving your login converts your password to a hash and then compares subsequent logins to this hash. You say that you cannot get the password back from the hash.
How then can, can such sites email you back your password if you forget it?
I know that some sites enforce a password reset in such situations, but not all.
I recently registered with a competition web site and they sent me a confirmation email with my ID and password there in plain text for all to see !!
Those sites which email your password are doing it wrong. Those sites are storing your passwords as plain text. If their password database is compromised, the hackers would get all of the username/password combinations. I get a bit perturbed when I get my password sent back to me in a confirmation email, and this causes me to doubt the competence of the makers of that website.
Very simple: If a site can actually mail you your password back, then that site is doing security wrong.
I would like to add one small nuance, namely that if they send the email from the same script as the one that hashes the password and stores only the hash, they can seem like they can send you your password, but they won’t be able to after that script finishes because it was only in memory. Of course once you have that email the script has already finished so you would in theory be safe.
Nonetheless, it seems kind of a dangerous thing for them to do, precisely because it leads people to think you’re not doing security right because you can send them their password. The problem is that you can’t discern this as a user; they might as well be storing the password in plain text without hashing it and telling you they can’t send it because it actually is hashed.
Sending your password in email is bad for another reason: email is not completely secure and could be monitored or “sniffed” along the way. Even if they’re storing a hash, sending a password in email remains bad security.
If passwords are ussually stored hashed, how can anyone make a list of the top 100 most used passwords?
Usually using the same techniques that hackers do, or with the explicit help from a few major services that take passwords.
This article already out on Ask Leo! has recommendations for anti-malware tools, including free anti-virus, anti-spyware and more:
http://ask-leo.com/what_security_software_do_you_recommend.html
Your antimalware program should inform you if malware has been installed on your computer, however, antimalware tools aren’t 100% effective. Your best protection is to practice safe surfing procedures.
https://askleo.com/internet_safety_7_steps_to_keeping_your_computer_safe_on_the_internet/
“(I think even hitting 9 characters might be enough, but 10 for sure – for now)”
I have rainbow tables up to 10 characters in length (lower case alpha numeric), i have not seen any that are greater than 10 characters. The effective key space is 3,760,620,109,779,060 . 9 characters Upper / Lower / alpha numeric would have 13,759,005,997,841,642 possibilities and be a text file size of over half a Terra byte, mind mindbogglingly large.
It’s always good to have at least a couple of characters more than the bare minimum. Hackers’ resources are growing along with technology in general. I’d never go less than 14 characters for an important password.
My current default is 20 for almost anything, as long as the service I’m signing into supports it.
“I’d never go less than 14 characters for an important password.” – And, of course, it’s not only the numbers of characters that’s important…..
https://arstechnica.com/information-technology/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/
True. but length is, by far, the most important factor; I like a minimum of 30-40 characters.
Unfortunately, at this time, I can’t find the references I have to various research results behind the much greater importance of length but here are some examples using two popular analyzers. Admittedly, they aren’t necessarily accurate in their estimates and use different algorithms but they do show the magnitude difference of length versus complexity.
Just compare 14 random, mixed characters like “i2N^aE#6z(0QsY” with a simple but long, easy to remember phrase like “I have 1 brother and 2 sisters”
Using the estimate at https://howsecureismypassword.net/ the former would take 204 million years while the latter would take 1 duodecillion years.
Using the estimate at http://passfault.com/ the former would take 19 centuries while the latter would take 931,508 centuries.
Of course, using long and complex passwords are even better but for most people they will use something easy to remember over complex so I recommend taking some little known event from a person’s life and use it; for example, “My first grade teacher was named Mrs. Wilson” or “I received my Princeton Masters degree in Computer Science in 2011”
My default is 24 random characters, upper, lower case, numbers and special characters. I only use less if the site don’t support that long.
Next question is : how do they get the database in the first place ?
That varies DRAMATICALLY for each and every hack. There’s no single answer.
Very Interesting but how can a hacker change your password so it will not work for you?
Once they have your password, the system thinks that they ARE YOU.
They can do anything you used to be able to.
Change your password.
Change your contact data.
Change your recovery questions.
Only by hacking into your account and changing your password the same way that you would change your password.
Last week I was required to open an account with a large bank which has committed many banking atrocities in recent years. (I will be closing the account asap — I don’t trust them to hold any sort of account for me for any length of time).
The MAXIMUM password they would allow me was 12.
Another reason to distrust this bank……………………………
The banks in my country allow passwords of 6 numbers only. Lastpass is always complaining about them.
The good news is European (and many other countries outside the US) banks use two factor authentication via TANs (Transaction Authorization Numbers) which are one use passwords on a printed list, SMS or TAN generator. The down side is a hacker who cracks the PIN would still be able to look at your statements, but since they would need the correct device or list to make any transactions, there is little incentive to try to hack an account.
I didn’t quite understand, “With each attempt, they create the hash;”
How does the hacker know the formula for creating a hash from a password? Isn’t every database different?
Not all hashes are equal:
https://www.wired.com/2016/06/hacker-lexicon-password-hashing/
The hackers create the hashes by encrypting billions of passwords. Once the hash has been created, they then create a table of passwords and their corresponding hashes. When they find a match, they can look up that hashed password in their table to find the original password. That’s why long and obscure passwords are your best protection, as a brute force generation of hashes can’t go beyond 8 or 9 characters. Common phrases also make poor passwords because hackers might create hashes for very long phrases which are common. For example ohsaycanyouseebythedawn’searlylight (and some variations: changing 0 for oh, c for see and u for u)is 35 characters long, but so common that hackers might create a hash for it.
The question was about the *function* (or *algorithm*) used to create the hash. The thieves would need to know that as well in order to crack the passwords. (They need to know *how* the website they stole the passwords from are creating the hashes.) The answer is that there exists such standard or common algorithms. But…
Can algorithm “seeds” or hashing “salt” be stolen as well? It would seem such values would need to be saved somewhere in the system.
“Is It Possible” is the Wrong Question Anything is possible. It all depends. A rogue employee, a weak hash algorithm are possibilities. How likely is pretty much anybody’s guess.
Depending on the level of the hack (and the corresponding lack of security), certainly.
All the good ones are. This is one of the weaknesses exploited by some hacks: poor choices for hash algorithms.
Most of us can’t remember very many different passwords. However, you can remember a lot of different passwods if they are designed properly.
I use a passphrase that will die with me. I never write it down any place. (That may not be practical, since I am 99 right now. ) I use an eqauivalent length of letters, number and characters for the rest of the password which is 14 characters long. I now have over 80 passwords. No I don’t remember them all but those I use most ofen, I do remember. And that can be up to 15 to 20 of them. Most of the rest I can guess with a few tries because of he design which by itself is one of the variables. The passphrase itself must be able to stand as a password by itself, providing it isn’t merely part of a senence though it wold be a weak one because of its length. Because of the design, I don’t use any password handler. I even change the design periodically, when changing a password. which is why I have to make some guesses occasionally on some of the passwords. Too complicated? I might say yes when Alzheimer’s hits me.
As I understand it, unless one uses a stupid p/w, most computer p/w’s cannot be cracked by someone else. In the vast majority of cases, they access the site and steal them. [or the hash] Right?
I am extremely disappointed in the number of financial sites that do not offer two factor ID.
Leo didn’t insert one of his common phrases: that you and I simply aren’t that interesting. But being the unwitting victim of a mass attack, that’s just bad luck driven by bad passwords.
On a related note … One reason criminals hack email accounts. Once hacked, the criminal will try it at (some, all, most popular, etc.) financial institutions then hit the ‘forgot password?’ button hoping they get lucky; then wait a few moments for the temporary password to come through, and delete the email. The user has no idea, in the vast majority of cases, that this email came and the criminal has access to their account. After all, how many people check their deleted email? The moral is: email accounts need the strongest passwords just like other critical accounts, and 2FA where available. Have you wondered, when your log in fails, why that is? Maybe it was this, and someone knows you have an account with a particular company. Might be time to change your email password … might want to do this regularly.
Those of us who stay on top of account security should be much safer than those who don’t. I recall an old adage, something like: lock all the doors and windows in your home when you leave, and the burglars will move on to the next house; they’re lazy and want a quick and easy score. It’s extra time we invest for the SWAN effect, sleep well at night, and well worth it.
Fascinating topic, thanks all for the education I received.
If I understand the process, given that a hacker has the database of UserID/hash code and a guess at the algorithm to create the hash. The hacker then feeds the algorithm a list of common passwords (the “top 1000”). If they get a hit where the generated hash matches a hash paired to a UserID, then the hacker can assume success at finding the right algorithm and then begin brute force utilizing the “known” algorithm. Things such as salting can confound the searches.
Is that the way it works?
I think I gather from this a need for the COMMON GOOD, as well as the individual good, to have complex passwords. Protecting the algorithm’s identity protects all.
Very interesting website, Leo, thanks….
Another great article. Starts with a typical question everybody has in the back of their minds — but is surprisingly rarely addressed, and provides the answer in very simple terms.
October 5, 2017 at 8:55 am
From Leo: “My current default is 20 for almost anything, as long as the service I’m signing into supports it.” Let’s not forget a major limitation that has existed for years and still today: Many large financial and related institutions still are running servers that only support 8 character sign in. But some of these institutions you MUST use to do required business. I see updates and upgrades being made but at a snail’s pace. The Equifax debacle, though not on point here, is a related example. And the Client has no direct control over those issues.
Indeed it’s VERY frustrating to still run into an eight character maximum.