Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

8 comments on “How Can a Hacker Try All Possible Passwords If Systems Block Failed Login Attempts?”

  1. Leo,
    This is unrelated to the above excellent article, I also use 1Password and find it indispensable.
    But, here is my plea for help:
    Couple years ago I updated Microsoft Office and somehow the update caused two mailboxes of the same name to be created. Email randomly comes to both, never the same email to both however, without obvious reason. How do I safely eliminate one of these mailboxes please?

    Reply
  2. I’m curious. If a password, such as “Fido”, creates the hash “5baa61e4c9b93f”, and the password is changed to “Fidodog”, does the first part of the original hash for “Fido” change appreciably?

    Sometimes when I log into a website, the service will see I’m using a different computer and ask for additional verification, like my first car (the correct answer for me would be “spaghetti”). Kudos to those companies. If I was using a different computer (or perhaps a hacker on their computer), I only wish they would ask for additional verification whether the password was right or wrong. If the password or additional information was incorrect, respond with “either the password was incorrect or the additional information was incorrect”. A hacker would have two problems to solve.

    Reply
    • If a password changes in even the smallest way (Fido -> fido, which is a one-bit change), the new hash will be COMPLETELY different. That’s one of the characteristics of a good hash algorithm: a small change on input results in a massive change on output.
      Example:
      sha1 hash of “Fido”: c6eab3324f4657a4c4c751fa472155eef159a4c8
      sha1 hash of “fido”: cc22a138b5b04eb06600eabb1a1cd19ccf50e930

      Reply
    • Adding even one letter or even one bit to a password would not only change the first par to the hash, it would change the hash completely indistinguishable from the original. The hash is a result of a complex cryptographic mathematical calculation.
      Here is an example of a hash of fido using the SHA3-224 hash
      8e44d0792d554f19d0bce11db99499e3260e97fcf83ec6b659549360
      and here is a hash of fido1
      6fd945c44c2f98a28d6b1a5d181b52aedcaa6c1ff61fc46d468ab484

      If you want to play with it here’s a website that calculates hashes,
      https://www.browserling.com/tools/all-hashes

      Reply
  3. I must be missing something. In order for a hacker to be able to make use of an exposed hash database, he must be able to apply the same hashing algorithm used by the legitimate owner of that database. It would seem that the number of potential hashing algorithms would explode the required trials geometrically. Do hackers also use a database of potential hash algorithms that are well established?

    Reply
    • Basically, yes. It’s quite possible for security, when done properly, to make attacking the database of hashes impractical as well. (A little salt can often ruin the entire effort.) Unfortunately two things: 1) “done properly” isn’t always, and 2) often the same breach that allowed the hacker to exfiltrate the database may also have given them access to the code implementing the hashing algorithm.

      Reply
  4. Even though you recommend never using the same password for different sites I do it often for sites that I don’t care much if someone logs onto my account. For example, I use the same eight-character upper & lower case letters plus special characters password for Consumer Reports as I do for CVS Pharmacy and several other sites. My reasoning is that I can’t think of anything a hacker could do on these sites that would be extremely harmful to me. First question: Am I being naive about this and exposing myself to harm?

    And I let my Firefox browser memorize the password for those sites but not for others that I consider more sensitive, such as my bank. Second question: Am I being too paranoid about the safety or lack thereof for browser-memorized passwords?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.