I was chatting with a particularly astute 15-year-old this weekend (we can call him Jack, just for fun) and the conversation turned to computer security.
We were exchanging ideas about general security topics and Jack asked this question:
“If I type my password incorrectly on a website, it eventually locks me out, but when the hackers do it, they never get locked out. How is that possible?”
At that moment, I realized one of the biggest problems as to why the typical computer user does not worry about password complexity (using random characters in a password) or password re-use (using the same password across multiple online accounts).
It is all a simple lack of understanding about how hackers figure out passwords.
Most people think that the hackers sit at a computer (wearing a black hooded sweatshirt, of course), frantically typing passwords into a website’s login page until they magically guess the correct password before the account lockout takes effect.
Given that scenario, which has been played out in more than one awful hacker movie and television show, it is no wonder that people think that their cat’s name and adoption year are strong passwords. Fluffy2012, anyone?
But there’s a reason why the hackers never lock your account – and it’s through a technique known as an offline-attack.
Here is how the offline attack is carried out:
Passwords are stored in a large file on a company’s server. If the company is practicing good security, those passwords are stored in a form that masks the password behind a numerical calculation, known as a checksum or “hash” value.
When a file containing the passwords or password hashes is stolen from a company (usually part of a larger breach), the file is placed on a separate computer and tools are run on it to reveal the passwords.
Even though the passwords may be hashed, there are tools that can find the equivalent numerical representation of that hash to reveal the password.
Since this is all done on a machine that is not subject to an incorrect password lockout threshold, the tool can run as long as necessary to churn through all the possibilities until the passwords are revealed.
The hackers never need to type the password into the website.
Once the passwords are revealed, they can be sold on the criminal market for varying amounts. The longer it takes a company to discover the breach, the longer the passwords are valid for criminal use.
(Note: Ideally website passwords are salted with a unique value before they are hashed. If phrases like “salted and hashed” make your eyes glaze over, check out this entertaining video.)
Perhaps if we can spread the word about how passwords are stolen and guessed to the general population, we can move closer to better password behavior among the typical computer user. This may go a long way towards removing the hoodies from the hackers’ heads.