Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

34 comments on “Why Can’t Online Services Tell Me My Password? (If They Can, There’s Something Wrong)”

  1. If you have a simple password, they may be able to use a rainbow table to convert the hash into your password. If your password is PASSWORD for example, if they know how the passwords are hashed, the run various simple passwords like PASSWORD through the hash and create a table called a rainbow table. That can then be used to go from the hash to the password.

    Reply
  2. Thanks for the opportunity to get an answer to my biggest computer problem. I have been using computers since my first Radio Shack (no hard drive) computer. Now I am 72 and have been diagnosed with memory problems. This has caused much stress! I try to keep my passwords in a book but there are times it doesn’t work. This could be because I had to change the password and forgot to change the book or lately, I just don’t know. I am on my iPad a lot and will miss it!

    Is there a safe program I can use on the iPad and lap top (not Mac) that will remember passwords? Hope you can keep me using my computer!

    Doug

    Reply
  3. Hi Leo,
    I found this article very informative and interesting but it has prompted one question and that is why we may have to change all of our passwords as a result of Heartbleed ?

    Reply
    • Because they MAY have been captured by hackers during the time the various servers were vulnerable to the HeartBleed problem. That means it’s theoretically possible that any time in the last two years when you logged into a service which was HeartBleed vulnerable a hacker could have stolen your password. I don’t know that this is/was common, but since we can’t prove it one way or the other changing your passwords is the safest option.

      Reply
  4. If I have understood correctly, (and I found your explanation brilliantly clear), every one of the major thefts of passwords which have been publicised over the years, (as well as the Heartbleed thefts), are actually a manifestation of the fact that the host is maintaining the actual passwords on their servers. If they were storing only the hash, the hackers could not steal them. This speaks volumes to the security services of the major sites we all subscribe to.

    Reply
    • This is not quite correct.

      First, most major thefts have not been “of passwords“. They’ve been of account databases with hashed passwords. Nonetheless, common best practice after such a theft – even without passwords – is to encourage people to change their passwords “just in case”. (Obviously if the theft was truly “of passwords”, then yes, those were bad security setups. But as I said, if you read the accounts closely more are not.)

      Second, the situation is more complex than I got into. (Remember, the question was only why a service couldn’t tell you your password.) It can sometimes be possible to use tables of hashed passwords to break into accounts 1) if the hash is done “poorly”, and 2) if poor passwords are used. I think someone else mentioned rainbow tables – compute, off-line, the hashes for all possible 8 character passwords, then just look up the hash to find the password. There are techniques to make this more secure both on the server (do hashes properly) and in your control (longer passwords being the one in your control).

      Finally, poor password choice remains a serious issue. Very often simply knowing the account login ID, which is stored clearly in the database, and then just trying the top 1000 most popular passwords (slowly, over a few days on a distributed botnet) will break in to an alarming number of accounts.

      Reply
  5. Another good article Leo, but a couple things I’d add:
    As far as Heartbleed goes:
    DO NOT CHANGE YOUR PASSWORDS UNLESS YOU CAN VERIFY THESE 3 THINGS:
    1) The website was running the affected version of OpenSSL (v1.0.1 and v1.0.2 beta)
    2) The website has applied the necessary patch for the affected versions of OpenSSL
    3) The website has updated their certificates
    Very basically, if your website is still running OpenSSL v1.0.0 it is not vulnerable to Heartbleed. Heartbleed allows the affected OpenSSL memory to be read on the website’s server. If it wasn’t patched and certificates updated, the site is still vulnerable and you’re putting a new password into the memory (which remains active until rebooted) for the hackers to access. Servers can go for months or years without rebooting. Wait until all 3 of these things are verified, or you’re wasting your time and putting your new password into memory to be hacked.

    I’m still not a fan of changing passwords without a good reason – you’ve given it to someone intentionally or unintentionally, or malware has infected your system. A password which was strong a decade ago remains strong today. 🙂

    Reply
    • Which is why I referenced the LastPass tool – it’ll advise you whether or not the password should be changed based on those criteria.

      Reply
  6. Most passwords will be locked out if you make a set # of attempts without success, so why would a botnet attempt be able to work where there are 1000 attempts?

    Reply
    • That’s why I said slow & distributed. Slow enough to not trigger the “too many failures too quickly” problem and distributed to not trigger “too many failures from the same IP address”. Even if it takes a few days the results would be valuable to the hackers.

      Reply
  7. Let me see if I understand correctly. If I click on the “LostPassword” link at a site where I have an account, and they actually email me my password, that is not good, but if they email me a link to enable me to reset my password or give a me a “hint”
    I have provided previously, that is ok?

    Reply
    • If they can mail you a password, it means they have your password on their servers, and that is vulnerable to mass theft. If they send you a password reset key, that is essentially a new one time password with which you can create a new password. This one time password is sent to an email address which only you *should* have access to. I stress should because there may be ways of gaming that system if they’ve hacked that email account, but it protects the vast majority of passwords on their system.

      Reply
  8. Thank you for making the password reset situation clear. You answered a question I had not thought to ask and I will now cease being frustrated when the situation arises. I have been using Password Safe for years but it is not always handy when I am away from home.

    Reply
  9. There is a difference between a hack from outside the company and a hack from inside the company, with a hack from inside a company much more dangerous. A hack from outside the company mostly only gets the data in the form the company stores it in. If the password checking file is encrypted, then they get the encrypted file with hash.

    But all passwords for a site are run thru the same hashing algorithm. If this hashing algorithm is known, or found, then either a rainbow table can be made for that algorithm, or a hash file can be deconstructed by reversing the algorithm. A hack from inside might be able to get the hashing algorithm, since that has to be stored in the system somewhere for the computer to use it. Some companies have not changed their hashing algorithm for decades. It is sort of hard to, since once the passwords are hashed, changing the algorithm would result in a different hash than what is stored.

    Updating or changing the algorithm after an hack should be normally done, this would require all the users to reset their passwords, resulting in a new hash for each user. Then the old hash file could be deleted after some time. Anybody that has not changed their password by that time would have to set up a new account.
    Just like longer passwords, longer more complicated hashing algorithms are more secure, but can slow down the processing in the computer. (Not as much of a concern as it was in the past)

    Reply
    • Couple of things:

      “a rainbow table can be made for that algorithm” — True, but a rainbow table (a table that lists all possible passwords and their hash values) is practical only up to a certain password length. This is why we harp so much on password length. A rainbow table for, say, all possible 16 character passwords is completely impractical at this point in time. (And why I default to 20.) It’s also why common passwords should be avoided, since generating a partial rainbow table of all common passwords is pretty trivial.

      “a hash file can be deconstructed by reversing the algorithm” — No. That’s the point of a hash, it’s one way only. You cannot get the passwords from the hashes by calculation.

      Reply
  10. Hi Leo, This article really made me think twice about security on sites that I use. I recently subscribed to a site using PayPal to pay for the subscription. When I couldn’t logon the next day, I submitted a “forgot password” request. I was shocked when I received an email that had my user name correct, but had combined it with my PayPal password. There was no option in the email to reset the password. I was actually able to logon to the subscription site using the PayPal password. I immediately changed passwords on both accounts, but this really left me worried about 1. How could this happen? 2. The security of both sites, and 3. How do I better protect myself?

    Reply
    • Hard to tell what happened exactly, but see below for some speculations. To respond to your 3rd question: Never cross-contaminate account credentials across sites. That means, for example, don’t use your Google login credentials to sign up on another site or don’t use your PayPal credentials to subscribe to anything else. Each account should have its own distinct set of username and password. In the current situation you’re describing, just changing your password may not be sufficient. I’d delete/close the subscription account entirely and change your PayPal password again. But, before you create a new PayPal password, clear your browser cache (cookies, etc). Then get online and investigate this subscription site to check its reputation. Start with the various URL check sites, such as offered by Google, Norton, TrendMicro, etc.

      The fact that you got your current PayPal password in the email is disconcerting. It suggests that PayPal is storing your actual password text in its database, which is a HUGE security hole. On top of that it suggests that their database is accessible by other sites. So, when you ask “how do I protect myself”, first ask yourself “why do I need PayPal”? Why would you interject a third party entity between you and your money? If you paid directly with your credit card the parties involved would be you and your bank. Now you have PayPal sticking its nose into your financials. If you use a major bank and a credit card, you have sufficient protections. Another safeguard is never use the same email address for financial sites and social/subscription sites.

      About what could have happened? Optimistically, that subscription site may be an affiliate of PayPal, in which case all your info is being shared. If you were on the subscription site’s page and there was a PayPal link where you logged in and typed your PayPal password, the password could have been taken directly from that page. (Yes, they can do anything on a web page). Or, depending on the site you thought you subscribed to and how you created your account, you may have been phished and hacked.

      Reply
      • As you say, it’s hard to know what happened, but my theory is that the subscription site presented the login dialog, and slurped up the PayPal password. I’m absolutely convinced that Paypal does NOT store actual passwords, and does NOT share password information with anyone, anywhere, at any time.

        Without more details and specifics, though, it’s all just speculation.

        Reply
        • Just to clarify…this was a subscription service for archived newspapers. I have used it on and off for years, and already had a password for the account, and was logged in when re-subscribing. I used PayPal at checkout and was presented with the screen to log on to PP with my account credentials in order to complete payment. Have done this many times over the years without a problem. The process completes, the purchase has been made. All of the steps from order, through checkout, and through completion of the purchase were normal. After doing a few searches, I logged off of the site. You know the rest of the story from my original comment. Technically, I am using a CC, just linked to PP so that I don’t have to give out my CC number. Maybe this is no longer a safe option.

          Reply
          • I’m reluctant to call it that, specifically, because we Just Don’t Know. I like your theory of accidentally entering the password elsewhere due to confusing layout. (I’ve done that.)

  11. PayPal doesn’t send you your password when you forget it. It sends a reset link as best practice dictates. It doesn’t appear that she used her PayPal cedentials to open the site. She used PayPal to pay for access. Those are different. PayPal is a safer method of payment than entering a credit or debit card number as it protects you against the site you are sending money to from misusing it.
    That site she opened that account on did security wrong and stored her password. The only way I can think of that would allow them to send her the password was if she accidentally typed the PayPal password in the field to set a password for that site. Changing the passwords should be enough as long as they were long strong (at least 14 character) unique (not used on any other sites) passwords

    Reply
    • Thank you, Mark. It was the subscription site that sent me an email containing my user name for that site and the password to my PayPal account. As I previously stated, there was no reset link. I have been using the internet almost as long as it has existed, and have never had any site send me a User Name\Password combination. I don’t use the same email addresses for all accounts. I have unique long passwords for every account. I use CCleaner regularly, two-step authentication on financial accounts, etc. It is extremely disconcerting to be expecting a reset link and receive the email with a password to another account.

      Reply
      • I could be wrong, but the only thing that comes to me is that that website has a confusing signup page and you accidentally entered your PayPal password on their page. When a purchase is made via PayPal, you are sent directly to the PayPal login page and you log into PayPal directly on the PayPal web page. It it happened any other way , you would have entered your password on the subscription page.

        Reply
  12. Good day, how do I recover my facebook account. Even if I activated the two-factor authentication. I can’t use the phone number also my Gmail account that I added to. Please me to recover my account. I also try the Trusted reveals and when I’ve changed the password and try to log in using the new password it’s still not working. Please help me to recover because I that for my studying. I’m looking forward to your reply. Thank you I’m from Philippines

    Reply
    • For each of the affected accounts, follow the “I forgot my password”, or “Having trouble logging in” options that they present. Follow them CAREFULLY. If they do not work then your account may not be able to be recovered.

      Remember: it is CRITICAL that you maintain your recovery, and two-factor information currently. If you change or lose your phone number you MUST update your account. If you do not you run the risk of losing your account forever.

      Reply
  13. Good day, how do I recover my facebook account. Even if I activated the two-factor authentication. I can’t use the phone number also my Gmail account that I added to. Please help me to recover my account. I also try the Trusted reveals and when I’ve changed the password and try to log in using the new password it’s still not working. Please help me to recover because I that for my studying. I’m looking forward to your reply. Thank you I’m from Philippines

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.