Password “hacking”: a server-side perspective
What happens when a server gets hacked? How do servers store username/password combinations?
All too frequently these days, we read a news article or receive an email saying so-and-so has been hacked and X amount of user/passwords have been stolen (among other things like birthdays, security questions, and even social security numbers…).
So what exactly do hackers get when they steal a bunch of data from servers? Well, hopefully they didn’t get your passwords in plain text (looking at you, Sony). What they usually get is something like this:
That second column of incomprehensible text is called a hash. (For this example, Bob’s password was “hello” and the first 6 characters from the MD5 hash was saved. Sally’s password was “goodbye”.)
A hash function is a one-way function — meaning you can create a hash from a password, but cannot “undo” the hash to figure out the actual password. This is the reason most websites send you “password reset” links instead of emailing your actual password.
To log in, you type in your password and the server runs it through the hash function, then checks if the hash of what you just typed matches the hash in their database for your username.
So, unless the website is extremely stupid (*cough* Sony *cough*), when a hacker steals millions of user accounts, they will only get a bunch of hash values. Now, they have to randomly guess until they figure out what your original password was.
However, multiple passwords can map to the same hash. In the above example, Bob’s password can be cracked in 2 minutes and 10 seconds using a simple Python script:¹
Hash is '5d4140'.
Password cracked using '14xdof5a'.
It took 18650129 tries.Time: 2m10.066s
If the hacker types “14xdof5a” into the password field, they will also successfully log in as Bob.
So what does this mean for the everyday user? Well, for starters, when your credentials have been stolen during a hack, you’re not immediately in danger. It’ll take time to crack the password before they can use it.
However, you are in danger if:
- The company that got hacked doesn’t discover the hack right away
- Or, they fail to report it to the public right away
- Or, you use the same username/password combination on multiple websites
The last point is really the only thing in your control. While a password manager (such as KeepassXC) is the best way to go, it’s might feel too cumbersome to use. If you use the same password for everything, then one simple way to mix things up is to append a word to the beginning or end of your password. For example, “bankmelissa1988” and “gmailmelissa1988” are technically two very different passwords, but as the password-owner, it’s abundantly clear which password to use where.
If you really want to mix things up, I would recommend taking a look at my multicultural passwords post, which is also a fairly easy way to increase password strength.
That’s all for this week! I hope it was helpful!
¹ I ran this on a Macbook Pro using a single core. A desktop computer and/or multiple cores would crack the password much faster.
# Simple password hacking script
# Written in a hurry by Albert Liangimport hashlib, random, string
match='5d4140'
print("Hash is '%s'." % match)
count=0
xhash=''
while xhash != match:
x=''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(8))
xhash=hashlib.md5(x).hexdigest()[:6]
count += 1
print("Password cracked using '%s'." % x)
print("It took %d tries." % (count))
