by Peter Murton
How passwords are hacked
​
Hackers (criminals) use these methods (and more) to discover your passwords:
-
Brute Force attacks - try every combination of password character until you get a result (works well on short passwords)
-
Rainbow Tables - the explanation is a bit technical but works by knowing passwords that have been stolen (very effective and especially if you use the same password across multiple web sites)
-
Dictionary attacks - the hacker community share lists of known passwords and use them to discover yours if it is in there
-
Dictionary with rules - same as above but apply commonly used rules or character substitutions (this makes 'password', 'p@ssword', 'p@55w0rd' look exactly the same and take no longer to discover)
-
'Social Engineering' - Phishing and similar exploits that make you volunteer your password to a hacker.
​
If we stop at this point and summarise thus: technical methods of password discovery can be defeated by a single remedy: by using long, random passwords that are different for every web site you use and that are frequently changed will reduce the risk of discovery enormously (if they are long enough and random enough they may never be discovered by computation). Any strategy that relies upon your memory is therefore doomed and you should not go down that path.
​
The good guys vs the bad guys
​
You should assume that some companies will be exemplars of best practice in managing their customer's / user's passwords. Companies like Google, Amazon, Ocado and many others
will do everything right (differently maybe, but right). The big kick in the butt for all of us who re-use passwords across multiple sites is when you realise that there are some sites that are terrible at password management.
​
Consider, by contrast to the good guys, http://www.dodgydick.com, from which you can buy stuff that fell off the back of a lorry and who employed a failed programmer £500 to build their e-commerce web site. That programmer may have created three things:
-
A database application that makes it easy to steal a user's login details from the inside
-
A database application that makes it easy to steal a user's login details from the outside
-
An extension of the owner's lack of care for other people's property in the form of a web site that cuts all the corners because £500 does not buy you time to do anything properly
​
Our failed programmer might write some code that despatches each user's login details to himself by email when users register. This is known to happen.
​
From your point of view, you may not be able to tell the difference between a good web site and a bad one - you can only go by perception because you don't know what is 'under the hood'.
​
So let's say dodgydick.com gets hacked and all of its users login details are stolen: the hackers can be you on Amazon, Google, Ocado etc, at least let you in and play. Those companies will probable have other checks in place so that you can't change email addresses and delivery addresses willy-nilly, but not all companies will do that. The point is that your security is severely compromised and you should take steps to avoid the possibility of it happening to you:
-
Use strong passwords
-
Use a new password for every site you use
-
Change them frequently
​
​