How Hackers Steal and Use Your Passwords

You just heard in the news about another online company getting hacked and all of their password’s getting stolen; including yours.  Unfortunately this is old news in 2021. But how does that happen and what does that mean for you? It could mean that even though it was an online retailer who got hacked, your bank account could ultimately be emptied.

“Hold up.  How does that happen?”

Let’s first look at how companies store passwords.  When you set a password on a website, the company puts it through an encryption algorithm.  This scrambles the information in a way that can’t be read any more.  For example, if your password was “hello” it might be stored as

2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

and if your password was “Helloworld!” it might be stored as

5c6e9ce66cd85898720fcc906a5ccd2e8447deea99e81ac3c46a6563b29200bf

This is called “hashing” and it can’t be reversed to find out your password.  Companies then store these “hashes” in a database to be checked when you login to a website.

When a hacker breaks into a company, they usually look for and download the entire password database.  Often too late, companies realize this has happened, and they ultimately notify you that “it’s time to reset your password.”

“Ok but those hashes look secure to me, and you can’t reverse it, so what’s the problem?”

In short, not all encryption algorithms are built equally, and even worse, many companies don’t protect their passwords correctly.  Some hashing methods are old and weak, and as a result can be broken by hackers. More commonly though, hackers take the stolen hashes, and begin to extract the passwords with a few methods:

First, they can compare the stolen hashes to other ones from previous hacks.  So if they see

5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

in their stolen passwords, and then see

5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

in another stolen password database, they have a match and know that your password is actually just the word “password” (please don’t do this).  If you want to see a high level version of this, check out the online tool https://haveibeenpwned.com/.  The tool can see if your email address was associated with a known stolen password and where else there was a “match”.

Up next, if hackers know the hashing method used by the company, they can start running password guesses through it.  So they may enter “thisismypassword” into the algorithm, and out comes

1da9133ab9dbd11d2937ec8d312e1e2569857059e73cc72df92e670928983ab5

and bingo, they have a match to one or more of the passwords in their list.  Hackers have large databases of known passwords they can run through these algorithms at breakneck speed that allows them to slowly chip away at their stolen password list. Before long, they’ll have a long list of actual passwords ready to use.

This doesn’t sound that hard or complicated right?  It isn’t, and it’s probably closer to “busy work” and “diligence” than “extreme hacking.”

“Wonderful.  So what do they do with that list?”

Many hackers will sell the list on the dark web to the highest bidder.  That could be another hacker, or even a foreign government. That winning bidder though, will then take the list and start trying to use the passwords.  If the site they were stolen from was of enough value, the hackers will log in and cause problems there. But more likely, they start trying your password on other sites, like Facebook, or bank websites, to see if they can get in there. This is called “credential stuffing” and is a common source of hacked accounts.

Since the hackers now have your password, and probably email, they can also adjust their approach based on their results.  Since you have most likely used your password elsewhere, or a slightly varied version of your password, they can fine tune their attempts until they have success.

“So I may be one of those people...what do I do?”

Many companies don’t take the time to protect your information because it costs money with little value for them.  The consequences of “getting hacked” aren’t as big anymore for many companies, and the requirement to protect your information falls on you.  At Hive Systems, we call this the “sad state of cybersecurity” - where companies aren’t being held accountable for securing your information. We won’t dive into that today (spoiler alert: we think companies should really be doing more), but this is the most important thing you can do to protect yourself today.

We’ve talked at length about the need to use a password manager, but we still know that 65% of you are relying on your memory - which isn’t going to cut it in 2021.  As we’ve shown above, reused passwords, or even just slightly changing your passwords between sites, puts you at immense risk.  This is why you need to have a long, complex, unique password for every website, device, and account you own. In addition, if you can turn on multi-factor authentication, you’ll be immensely more protected than many of your peers whose passwords have also been stolen.  Hackers continue to exploit the most exploitable, so don’t let yourself become the next statistic.

And in case you missed it above, check out our ACT post on Password Managers with the link below and get yourself set up on one today!

Follow us - stay ahead.

Read more of the ACT