Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

41 comments on “How Can a Hacker Try All Possible Passwords If Systems Block the Login Attempts?”

  1. “on their own computers, at extremely high speed, they can literally try every possible password.” Wouldn’t it be more common that the hackers would use rainbow tables (tables containing the hashes of pre-generated password/hash combinations). as it seems like a brute attack on a database would take millions or billions of years to get a few passwords.

    Using a salted hash (sounds like a generic name for Spam 🙂 ), which to my understanding is kind of a double encryption, would defeat the rainbow tables, or at least slow the hackers down considerably to give the victims of the hack time to change their passwords before the passwords are cracked.

    • Rainbow tables(*), for purposes of this discussion, can be considered “trying all possible passwords”. 🙂 Also, rainbow tables become impractical once again as the password length increases (I think even hitting 9 characters might be enough, but 10 for sure – for now). Brute attacks for all possible 8 character passwords are very doable today even without rainbow tables. And let’s face it, it’s a kind of brute force attack that generates a rainbow table, after all.

      Salted hashes eliminate the usefulness of rainbow tables, unless the salt(**) can be determined. A good salt is most definitely best practice.

      (*) Rainbow table: a simple table of all hashes for all possible passwords. Compute the entire table once for each common password hashing method, and rather than trying every possible password you simply look up the hash in a rainbow table to determine the password that goes with that hash. Impractical for long passwords, hence another reason for long passwords.

      (**) “Salt” is something that’s added to a password before it’s hashed, thus changing the resulting hash. For example if you provide password 1234 and the system adds a salt of “askleo” then the string that gets hashed is “1234askleo” which is different than the hash for plain old “1234”. As long as the salt (which can also be algorithmic rather than static) is kept secret, then the attackers don’t really know the entirety of your hashing algorithm, thus making the brute force attempt significantly more difficult.

        • Actually Leo did explain how websites create a salted hash in a comment to this article:

          “Salt” is something that’s added to a password before it’s hashed, thus changing the resulting hash. For example if you provide password 1234 and the system adds a salt of “askleo” then the string that gets hashed is “1234askleo” which is different than the hash for plain old “1234”. As long as the salt (which can also be algorithmic rather than static) is kept secret, then the attackers don’t really know the entirety of your hashing algorithm, thus making the brute force attempt significantly more difficult.

          A good salt is actually a bit more complicated. As it uses an algorithm to create a unique “salt” for each password.

  2. You mention that the computer receiving your login converts your password to a hash and then compares subsequent logins to this hash. You say that you cannot get the password back from the hash.
    How then can, can such sites email you back your password if you forget it?
    I know that some sites enforce a password reset in such situations, but not all.
    I recently registered with a competition web site and they sent me a confirmation email with my ID and password there in plain text for all to see !!

    • Those sites which email your password are doing it wrong. Those sites are storing your passwords as plain text. If their password database is compromised, the hackers would get all of the username/password combinations. I get a bit perturbed when I get my password sent back to me in a confirmation email, and this causes me to doubt the competence of the makers of that website.

      • I would like to add one small nuance, namely that if they send the email from the same script as the one that hashes the password and stores only the hash, they can seem like they can send you your password, but they won’t be able to after that script finishes because it was only in memory. Of course once you have that email the script has already finished so you would in theory be safe.
        Nonetheless, it seems kind of a dangerous thing for them to do, precisely because it leads people to think you’re not doing security right because you can send them their password. The problem is that you can’t discern this as a user; they might as well be storing the password in plain text without hashing it and telling you they can’t send it because it actually is hashed.

        • Sending your password in email is bad for another reason: email is not completely secure and could be monitored or “sniffed” along the way. Even if they’re storing a hash, sending a password in email remains bad security.

  3. This article already out on Ask Leo! has recommendations for anti-malware tools, including free anti-virus, anti-spyware and more:
    http://ask-leo.com/what_security_software_do_you_recommend.html

    Your antimalware program should inform you if malware has been installed on your computer, however, antimalware tools aren’t 100% effective. Your best protection is to practice safe surfing procedures.
    https://askleo.com/internet_safety_7_steps_to_keeping_your_computer_safe_on_the_internet/

  4. “(I think even hitting 9 characters might be enough, but 10 for sure – for now)”

    I have rainbow tables up to 10 characters in length (lower case alpha numeric), i have not seen any that are greater than 10 characters. The effective key space is 3,760,620,109,779,060 . 9 characters Upper / Lower / alpha numeric would have 13,759,005,997,841,642 possibilities and be a text file size of over half a Terra byte, mind mindbogglingly large.

    • It’s always good to have at least a couple of characters more than the bare minimum. Hackers’ resources are growing along with technology in general. I’d never go less than 14 characters for an important password.

        • True. but length is, by far, the most important factor; I like a minimum of 30-40 characters.

          Unfortunately, at this time, I can’t find the references I have to various research results behind the much greater importance of length but here are some examples using two popular analyzers. Admittedly, they aren’t necessarily accurate in their estimates and use different algorithms but they do show the magnitude difference of length versus complexity.

          Just compare 14 random, mixed characters like “i2N^aE#6z(0QsY” with a simple but long, easy to remember phrase like “I have 1 brother and 2 sisters”

          Using the estimate at https://howsecureismypassword.net/ the former would take 204 million years while the latter would take 1 duodecillion years.

          Using the estimate at http://passfault.com/ the former would take 19 centuries while the latter would take 931,508 centuries.

          Of course, using long and complex passwords are even better but for most people they will use something easy to remember over complex so I recommend taking some little known event from a person’s life and use it; for example, “My first grade teacher was named Mrs. Wilson” or “I received my Princeton Masters degree in Computer Science in 2011”

      • My default is 24 random characters, upper, lower case, numbers and special characters. I only use less if the site don’t support that long.

    • Once they have your password, the system thinks that they ARE YOU.
      They can do anything you used to be able to.
      Change your password.
      Change your contact data.
      Change your recovery questions.

  5. Last week I was required to open an account with a large bank which has committed many banking atrocities in recent years. (I will be closing the account asap — I don’t trust them to hold any sort of account for me for any length of time).

    The MAXIMUM password they would allow me was 12.

    Another reason to distrust this bank……………………………

      • The good news is European (and many other countries outside the US) banks use two factor authentication via TANs (Transaction Authorization Numbers) which are one use passwords on a printed list, SMS or TAN generator. The down side is a hacker who cracks the PIN would still be able to look at your statements, but since they would need the correct device or list to make any transactions, there is little incentive to try to hack an account.

  6. I didn’t quite understand, “With each attempt, they create the hash;”

    How does the hacker know the formula for creating a hash from a password? Isn’t every database different?

    • The hackers create the hashes by encrypting billions of passwords. Once the hash has been created, they then create a table of passwords and their corresponding hashes. When they find a match, they can look up that hashed password in their table to find the original password. That’s why long and obscure passwords are your best protection, as a brute force generation of hashes can’t go beyond 8 or 9 characters. Common phrases also make poor passwords because hackers might create hashes for very long phrases which are common. For example ohsaycanyouseebythedawn’searlylight (and some variations: changing 0 for oh, c for see and u for u)is 35 characters long, but so common that hackers might create a hash for it.

      • The question was about the *function* (or *algorithm*) used to create the hash. The thieves would need to know that as well in order to crack the passwords. (They need to know *how* the website they stole the passwords from are creating the hashes.) The answer is that there exists such standard or common algorithms. But…

        Can algorithm “seeds” or hashing “salt” be stolen as well? It would seem such values would need to be saved somewhere in the system.

  7. Most of us can’t remember very many different passwords. However, you can remember a lot of different passwods if they are designed properly.
    I use a passphrase that will die with me. I never write it down any place. (That may not be practical, since I am 99 right now. ) I use an eqauivalent length of letters, number and characters for the rest of the password which is 14 characters long. I now have over 80 passwords. No I don’t remember them all but those I use most ofen, I do remember. And that can be up to 15 to 20 of them. Most of the rest I can guess with a few tries because of he design which by itself is one of the variables. The passphrase itself must be able to stand as a password by itself, providing it isn’t merely part of a senence though it wold be a weak one because of its length. Because of the design, I don’t use any password handler. I even change the design periodically, when changing a password. which is why I have to make some guesses occasionally on some of the passwords. Too complicated? I might say yes when Alzheimer’s hits me.

  8. As I understand it, unless one uses a stupid p/w, most computer p/w’s cannot be cracked by someone else. In the vast majority of cases, they access the site and steal them. [or the hash] Right?

    I am extremely disappointed in the number of financial sites that do not offer two factor ID.

  9. Leo didn’t insert one of his common phrases: that you and I simply aren’t that interesting. But being the unwitting victim of a mass attack, that’s just bad luck driven by bad passwords.

    On a related note … One reason criminals hack email accounts. Once hacked, the criminal will try it at (some, all, most popular, etc.) financial institutions then hit the ‘forgot password?’ button hoping they get lucky; then wait a few moments for the temporary password to come through, and delete the email. The user has no idea, in the vast majority of cases, that this email came and the criminal has access to their account. After all, how many people check their deleted email? The moral is: email accounts need the strongest passwords just like other critical accounts, and 2FA where available. Have you wondered, when your log in fails, why that is? Maybe it was this, and someone knows you have an account with a particular company. Might be time to change your email password … might want to do this regularly.

    Those of us who stay on top of account security should be much safer than those who don’t. I recall an old adage, something like: lock all the doors and windows in your home when you leave, and the burglars will move on to the next house; they’re lazy and want a quick and easy score. It’s extra time we invest for the SWAN effect, sleep well at night, and well worth it.

  10. Fascinating topic, thanks all for the education I received.

    If I understand the process, given that a hacker has the database of UserID/hash code and a guess at the algorithm to create the hash. The hacker then feeds the algorithm a list of common passwords (the “top 1000”). If they get a hit where the generated hash matches a hash paired to a UserID, then the hacker can assume success at finding the right algorithm and then begin brute force utilizing the “known” algorithm. Things such as salting can confound the searches.

    Is that the way it works?

    I think I gather from this a need for the COMMON GOOD, as well as the individual good, to have complex passwords. Protecting the algorithm’s identity protects all.

    Very interesting website, Leo, thanks….

  11. Another great article. Starts with a typical question everybody has in the back of their minds — but is surprisingly rarely addressed, and provides the answer in very simple terms.

  12. October 5, 2017 at 8:55 am

    From Leo: “My current default is 20 for almost anything, as long as the service I’m signing into supports it.” Let’s not forget a major limitation that has existed for years and still today: Many large financial and related institutions still are running servers that only support 8 character sign in. But some of these institutions you MUST use to do required business. I see updates and upgrades being made but at a snail’s pace. The Equifax debacle, though not on point here, is a related example. And the Client has no direct control over those issues.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.