Can someone explain hacking to me?

[SouthernFriedInfidel]

Over the past couple of months, I've had a couple of my on-line apps hacked and been forced to change my password. What I can't figure out is... ho can a hacker find my password? I've seen some places that give the advice on how to make your password "uncrackable," which really doesn't make any sense to me. How on earth can running login actions on an application be like the game "Mastermind," where you make a guess, get FEEDBACK on how close you are, and refine your guess on the next round? Shouldn't login feedback be "yes/no" only??

Yet again, how can a login be set up for unlimited tries, allowing a brute-force solution of trying all possible permutations of keyboard characters?

I'm just curious. What little I know of computer security, this hacking business makes no sense to me at all...

[Liv]

I think, in most cases, hackers get into the databases and download the data.

I know I think I got hit on the Zappos thing.

I went around and changed a lot of mine.

Don't forget if you accidentally install spyware, someone may be visually watching your keystrokes.

I'm running Spybot as I type right now.

Several years ago, someone had hacked into the old-old-old Greensboring because of backdoor in the software at my host. I can't remember if it was Godaddy or Hostgator at the time, but I found out after they quietly patched the problem. Unfortunately they had hacked almost all the files on the host.

[The Vicar]

Ignoring social engineering (pretending to be someone who has authority in order to get you to give away your password directly) and cases where your own stupidity harms you (when you use your birthday, or use the same password for every service), there are various techniques:

There's brute force, which is what people usually talk about first. If the target is such that you won't be able to tell whether you succeed or not until you try, it can take a long time to try a significant number of passwords. (And lots of web services have a "three failed attempts = lockout" policy, which makes it difficult.) On the other hand, many times it's a case where the barrier is simply "does X encrypt to the stored encrypted value using some known encryption function". Most operating systems use this unless you turn on more advanced options. If the encrypted passwords are not protected from random programs, and the encryption algorithm is known, then you can write a program which will simply start encrypting every value in sequence until it hits something which matches. Given that encryption algorithms are usually constructed to be very fast, a program can make thousands of tries per minute without making any serious attempt at acceleration -- GPU acceleration schemes like OpenCL boost the numbers up by an order of magnitude or so.

More usually, as suggested by a previous commenter whose comment I can't see because the comment composing page doesn't show other comments, a hacker will in some way get hold of a list of passwords from a website. Lots of online service designers are almost unbelievably stupid about security. They will, for example, assume that nobody will ever break their security so it's okay to store passwords unencrypted. Or they will use an encryption method which is not intended for one-way use, so the passwords can be decrypted easily. Or they will fail to change the default administrator password on the database software. Then all it takes is a single successful attack and a hacker can get access to all the passwords (in some form) at once. Amazon and Sony have both gotten caught this way -- and those are both high-tech companies. Things can be worse when it's some small business whose web services were built by the owner's nephew because "he took a word processing course back in junior high, and he has a Facebook page, so he knows all this computer stuff".

And, of course, when it's a matter of online services, even if you and the service designers aren't susceptible to stupidity, the employees responsible for running the system on a day-to-day basis may be. The initial attack which gives the hacker a password list may be something really, really dumb -- an e-mail from "Joe in IT" asking them to "install this patch on the server for me, if you get a warning from the antivirus software go ahead and ignore it". And once a hacker gets the list of encrypted passwords, they can then apply brute force to them without any delays or protection. This is why, convenient though it may be, you should not use the same password on multiple systems if you can avoid it.

(There are also techniques used when a hacker has brief physical access to a system. Security experts will tell you that if a hacker has access to your hardware, then all bets are off -- but even if you just turn your back for a moment, there are things hackers can do, particularly on PCs, such as putting in a CD with a rogue program and hoping you have Autorun turned on.)

[A Person]

The thing to remember is that there's no single method - as the VIcar points out. There are masses of them and he's covered most of them, but remember how Palin's email account was hacked? It was one where if you 'forget' your password you can reset it after answering a security questions. I believe hers was 'what is the name of your high school?' which is easily guessed.

Most of those questions are very low security - your mother's maiden name can often be found if you have an internet presence.