Inside the world of a password hacker

Posted Mar 27, 2013 by Chris Stewart
Nate Anderson, tech author, was curious about just how simple it was to hack someone's password. Could it be done using only freely available information and equipment? What he found out was more than a little surprising.
32,603,388. An impressive number in almost any situation, but even moreso when it represents people; millions and millions of individuals. Any clue as to what they have in common? The answer is that as of 2009, they all had accounts with RockYou, a social network app company responsible for catchy, basic games like poker and "zoo world". Addictive, simple games, crisp marketing, and good timing led the company to its dozens-of-millions of users. But marketing isn't everything and in December of 2009, holes in RockYou's security led to the theft of more than 14 million user's password information. This led to the leaking of a file containing those passwords, a masterlist that was gold to would-be password hackers.
But let's back up: why would such a "wordlist" help hackers who have no interest in RockYou's accounts? In a playful, approachable new piece for Ars Technica, Nate Anderson explains his foray into password hacking and tells us why it left him feeling "a visceral sense of password fragility".
Essentially it boils down to a few key principles. Firstly: how are passwords stored? So you're RockYou, or, for that matter, Ebay. When someone logs into their account, how does your system instantly match up their username and password information? By keeping an extensive record, of course. Master lists of information. Lists millions of lines long with nothing but username/password combos. But is it that simple? No, thankfully. As Anderson explains, such lists offer "hashed" versions of the passwords: versions re-written in more complex strings of code. Just imagine that every time you create a new password a program says "thank you!" and then re-works it into an even pass-ier form. Bear with us here.
"For instance, hashing the password "arstechnica" with the MD5 algorithm produces the hash c915e95033e8c69ada58eb784a98b2ed. Even minor changes to the initial password produce completely different results; "ArsTechnica" (with two uppercase letters) becomes 1d9a3f8172b01328de5acba20563408e after hashing. Nothing about that second hash suggests that I am "close" to finding the right answer; password guesses are either exactly right or fail completely."
And so the basic question of hacking are: A) how to obtain these lists and B) how to "untranslate" the list items.
The answer to the former question is fairly straightforward: people steal the lists. They hack them by breaching loose security measures or finding alternate and much more complicated code-based routes, scam methods (faking audits, etc) and other means.
And so what about once the lists are retrieved? Well the first thing to note is that they hold the key to more info than you might expect. A great deal of people; perhaps more than two-thirds as PCWorld has reported use one or a handful of logins for multiple private accounts.
But the question remains: how to un-hash the hashed lists? For Anderson, it was simpler than he'd expected or hoped. Particularly since programs exist merely for the purpose of hacking these wordlists. Programs list "John The Hacker" and "Hashcat" can, without too little technical proficiency, be used to reveal the secrets stored in these massive lists.
All told, it remains frighteningly un-complicated to extract password information from internet accounts. Free programming exists to decode passwords and master wordlists are obtained and traded with the same ease as everything else of value on the world wide web.