Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

17 comments on “Why Can’t Online Services Tell Me My Password? (If They Can, There’s Something Wrong)”

  1. If you have a simple password, they may be able to use a rainbow table to convert the hash into your password. If your password is PASSWORD for example, if they know how the passwords are hashed, the run various simple passwords like PASSWORD through the hash and create a table called a rainbow table. That can then be used to go from the hash to the password.

    Reply
  2. Thanks for the opportunity to get an answer to my biggest computer problem. I have been using computers since my first Radio Shack (no hard drive) computer. Now I am 72 and have been diagnosed with memory problems. This has caused much stress! I try to keep my passwords in a book but there are times it doesn’t work. This could be because I had to change the password and forgot to change the book or lately, I just don’t know. I am on my iPad a lot and will miss it!

    Is there a safe program I can use on the iPad and lap top (not Mac) that will remember passwords? Hope you can keep me using my computer!

    Doug

    Reply
  3. Hi Leo,
    I found this article very informative and interesting but it has prompted one question and that is why we may have to change all of our passwords as a result of Heartbleed ?

    Reply
    • Because they MAY have been captured by hackers during the time the various servers were vulnerable to the HeartBleed problem. That means it’s theoretically possible that any time in the last two years when you logged into a service which was HeartBleed vulnerable a hacker could have stolen your password. I don’t know that this is/was common, but since we can’t prove it one way or the other changing your passwords is the safest option.

      Reply
  4. If I have understood correctly, (and I found your explanation brilliantly clear), every one of the major thefts of passwords which have been publicised over the years, (as well as the Heartbleed thefts), are actually a manifestation of the fact that the host is maintaining the actual passwords on their servers. If they were storing only the hash, the hackers could not steal them. This speaks volumes to the security services of the major sites we all subscribe to.

    Reply
    • This is not quite correct.

      First, most major thefts have not been “of passwords“. They’ve been of account databases with hashed passwords. Nonetheless, common best practice after such a theft – even without passwords – is to encourage people to change their passwords “just in case”. (Obviously if the theft was truly “of passwords”, then yes, those were bad security setups. But as I said, if you read the accounts closely more are not.)

      Second, the situation is more complex than I got into. (Remember, the question was only why a service couldn’t tell you your password.) It can sometimes be possible to use tables of hashed passwords to break into accounts 1) if the hash is done “poorly”, and 2) if poor passwords are used. I think someone else mentioned rainbow tables – compute, off-line, the hashes for all possible 8 character passwords, then just look up the hash to find the password. There are techniques to make this more secure both on the server (do hashes properly) and in your control (longer passwords being the one in your control).

      Finally, poor password choice remains a serious issue. Very often simply knowing the account login ID, which is stored clearly in the database, and then just trying the top 1000 most popular passwords (slowly, over a few days on a distributed botnet) will break in to an alarming number of accounts.

      Reply
  5. Another good article Leo, but a couple things I’d add:
    As far as Heartbleed goes:
    DO NOT CHANGE YOUR PASSWORDS UNLESS YOU CAN VERIFY THESE 3 THINGS:
    1) The website was running the affected version of OpenSSL (v1.0.1 and v1.0.2 beta)
    2) The website has applied the necessary patch for the affected versions of OpenSSL
    3) The website has updated their certificates
    Very basically, if your website is still running OpenSSL v1.0.0 it is not vulnerable to Heartbleed. Heartbleed allows the affected OpenSSL memory to be read on the website’s server. If it wasn’t patched and certificates updated, the site is still vulnerable and you’re putting a new password into the memory (which remains active until rebooted) for the hackers to access. Servers can go for months or years without rebooting. Wait until all 3 of these things are verified, or you’re wasting your time and putting your new password into memory to be hacked.

    I’m still not a fan of changing passwords without a good reason – you’ve given it to someone intentionally or unintentionally, or malware has infected your system. A password which was strong a decade ago remains strong today. 🙂

    Reply
    • Which is why I referenced the LastPass tool – it’ll advise you whether or not the password should be changed based on those criteria.

      Reply
  6. Most passwords will be locked out if you make a set # of attempts without success, so why would a botnet attempt be able to work where there are 1000 attempts?

    Reply
    • That’s why I said slow & distributed. Slow enough to not trigger the “too many failures too quickly” problem and distributed to not trigger “too many failures from the same IP address”. Even if it takes a few days the results would be valuable to the hackers.

      Reply
  7. Let me see if I understand correctly. If I click on the “LostPassword” link at a site where I have an account, and they actually email me my password, that is not good, but if they email me a link to enable me to reset my password or give a me a “hint”
    I have provided previously, that is ok?

    Reply
    • If they can mail you a password, it means they have your password on their servers, and that is vulnerable to mass theft. If they send you a password reset key, that is essentially a new one time password with which you can create a new password. This one time password is sent to an email address which only you *should* have access to. I stress should because there may be ways of gaming that system if they’ve hacked that email account, but it protects the vast majority of passwords on their system.

      Reply
  8. Thank you for making the password reset situation clear. You answered a question I had not thought to ask and I will now cease being frustrated when the situation arises. I have been using Password Safe for years but it is not always handy when I am away from home.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.