Password hacking - how do they do it?

[Wolfchild]

Yesterday someone took over my ebay account and listed a $40,000 item, wrote about it in another thread in Other which apparently no one was interested in

Just wondering - if they have a program that guesses millions or billions of combos until it cracks your password - how is that used? I mean, say they want an ebay or paypal password - do they just hammer that site trying to get into that one account? Or are they internally fishing into that server?

What I'm saying is, I can understand how they could use that to break into my PC if they were in front of it, but if they are hammering the server of say ebay for a longish time for one account, don't those companies have a way of detecting that? Just trying to get my mind around the whole thing.

I'm not sure how they got into my account but someone told me the most likely thing was a dictionary program.

 

[n0cmonkey]

Dictionary, brute force, or phished it from you are the most likely methods. Got spyware?

 

[Wolfchild]

I run Ad-Aware and a couple of other things, did have a couple of data miners last night. I send all phish emails to the proper spoof alert.

How do they use dictionary though?

 

[ttown]

Originally posted by: Wolfchild
I run Ad-Aware and a couple of other things, did have a couple of data miners last night. I send all phish emails to the proper spoof alert.

How do they use dictionary though?

Was your password a normal dictionary word, or a combo of letters/digits/whatever?
I've wondered the same thing, but I've also had a fair number of good looking phish attempts that would probably fool a not-too-saavy user.

I don't know for sure, but my guess is that the hacker would take a list of ebay accounts and a dictionay and write a script to attempt every dictionary word on each account. Chances are ~99.99999% that at least 1 account used a word from the dictionary.

 

[Wolfchild]

Well the password was something like a six-digit nonsense word and a four-digit number. This was not it, but something like trontey1422 - that's not even similar except in format, and I did some research after that and it looks like that would have been pretty easy. It wasn't a dictionary word at all but must have had some guessable elements or something. I have it beefed up considerably now but of course what concerns me is how it happened.

I am on cable behind an NAT router but not using a software firewall. I run Ad-Aware fairly regularly and keep AVG running at all times. It hasn't found any trojans. I've thought of using zone alarm pro but when I've had the free version it was a real pain in the ass, popping up all the time. This was a few years ago.

 

[everman]

It could have been brute forced if it was a dictionary word + a 4 diget number. If you're positive it wasn't phished, then it certainly could be a trojan/virust/etc. I'd probably wipe the HD clean and reinstall after a major security breach like that though.

 

[episodic]

my passwords all look like garbly beloved patriot

tr12mv27g

stuff like that much more secure.

It is easy to do.

Make up a sentence or two like this:

I like to go to 12 stores to eat good chicken.

Take the 1st letter from each word and any # you use.

iltgt12stegc - there a fairly secure password.

Tuck the sentence away till you remember it.

 

[ttown]

Hmmm... that seems like it would be hard to break. It would be much easier to do a plain dictionary attempt -- thereby hacking into someone _elses_ account -- not yours.

I've read about keyloggers -- but don't really know how to be 100% sure they don't exist on a computer. Most of them advertise "completely undetectable, blah blah blah". Maybe that's what you have?

The only kind of firewall that gives me any peace of mind is one that notifies me of out-bound communication. A NAT router and/or microsofts "SP2 firewall" (or ICF) isn't going to do squat about something local sending things out. I used to have a firewall called AtGuard from WRQ that did that, plus showed a status bar with open connections. You could click the "connections" and see what process what communicating to wherever -- inbound and outbound. AtGuard was for win98 and prior -- and they got bought-out by Norton, I think. I'm not sure which firewall (for xp) has the feature for blocking outbound attempts (I think maybe kerio does... but not sure).

If you want to see what's going on sometime, you could open up a command window and issue "netstat -o 3" -- which would show you open connections every 3 seconds. I did that once and discovered my browser was hijacked.

If you ever figure out exactly what happened, I'd be curious to know....

 

[Wolfchild]

I'm just running AVG again and it found a couple of trojans. I had thought the resident shield would catch stuff like this. I stopped doing every day scans a couple weeks ago because I have a couple of drives and it would take forever and a lot of page file usage, when I'd use the computer in the morning after the scan (left it scanning during the night) it would be a little slow until that page file crap was dumped. Guess I'll have to put up with that. I hate the thought of buying Zone Alarm Pro but it advertises that it blocks your outgoing personal info.

 

[episodic]

Originally posted by: Wolfchild
I'm just running AVG again and it found a couple of trojans. I had thought the resident shield would catch stuff like this. I stopped doing every day scans a couple weeks ago because I have a couple of drives and it would take forever and a lot of page file usage, when I'd use the computer in the morning after the scan (left it scanning during the night) it would be a little slow until that page file crap was dumped. Guess I'll have to put up with that. I hate the thought of buying Zone Alarm Pro but it advertises that it blocks your outgoing personal info.

Why buy zonealarm? Kerio is free and does the same thing (better too) imho.

 

[ttown]

I remember hearing that ZA doesn't block "non-standard" outbound traffic. They may have fixed it by now... it's been a long while since I researched.

I've heard very good things about kerio

 

[mhillary]

I found some trojans with NORTON. I removed them but still my system seemed slow so in checked it again and found another bunch of trojans the next day

 

[Wolfchild]

I was not familiar with Kerio. It looks though like I'd need the paid edition to stop private info from being sent from a trojan, or am I mistaken? I was looking at the differences between the free and paid versions. As far as an external shield that isn't really what I need here since I already have the router - just wanting to keep a rogue file from sending my info out.

How do you find if you have a keylogger on your computer?

 

[flashbacck]

Originally posted by: n0cmonkey
Dictionary, brute force,

I've always wondered about this. Shouldn't ebay or whatever notice if 100000 login failed login attempts were made?

 

[BFG10K]

To counter brute force hacking using at least eight characters, avoid dictionary words and include at least one digit in the password somewhere.

 

[Nothinman]

I've always wondered about this. Shouldn't ebay or whatever notice if 100000 login failed login attempts were made?

Only if they care enough to monitor failed attempts.

 

[BlueWeasel]

Originally posted by: episodic
my passwords all look like garbly beloved patriot

tr12mv27g

stuff like that much more secure.

It is easy to do.

Make up a sentence or two like this:

I like to go to 12 stores to eat good chicken.

Take the 1st letter from each word and any # you use.

iltgt12stegc - there a fairly secure password.

Tuck the sentence away till you remember it.

That's pretty good advice.

*changes password from "dog"*

 

[firerock]

From one of the previous PC Mag reading (probably within 2 months), MS is trying to change from password to passphrase in Longhorn. It is almost like episodic suggested, but simpler. Instead of just typing the initial of the phrase that you have to remember (or password), you simply type in the pass phrase that is easy for you to remember and the charachter limit is some 2,000 character phrase. So, your passphrase can be "I like to eat @ Macdonald every Tuesday". Now, if MS can make this passphrase a new standard, it will be impossible for hackers to crack your passphrase, unless you have some keylogger or spyware in your system.

 

[Nothinman]

Now, if MS can make this passphrase a new standard, it will be impossible for hackers to crack your passphrase, unless you have some keylogger or spyware in your system.

It won't make it impossible, it'll just mean the dictionary attacks will have to be smarter. And by the time people start using them computers will be much faster, so that might offset the added characters. A password/passphrase containing dictionary words is bad no mtter how long it is. And most of all people are lazy and gullible, so the security of the password/passphrase is only as good as the person who knows the password/passphrase.

 

[n0cmonkey]

Originally posted by: firerock
From one of the previous PC Mag reading (probably within 2 months), MS is trying to change from password to passphrase in Longhorn. It is almost like episodic suggested, but simpler. Instead of just typing the initial of the phrase that you have to remember (or password), you simply type in the pass phrase that is easy for you to remember and the charachter limit is some 2,000 character phrase. So, your passphrase can be "I like to eat @ Macdonald every Tuesday". Now, if MS can make this passphrase a new standard, it will be impossible for hackers to crack your passphrase, unless you have some keylogger or spyware in your system.

You can already do stuff like that. Don't all OSes have a 64 (or more) character maximum for the passwords these days?

 

[roberoy]

Well Folks,
I have nothing to do for a minute or two so here is my two cents worth.
a) I run an antivirus program automatically every day.
b) I run 2 different spyware programs EVERY time I come off the internet.
c) I delete EVERY cookie I find. (using spyware)
d) I try NOT to buy stuff on the Internet.
e) I delete ALL spam without opening it.
f) I don't open mail without a SUBJECT even though I know the sender.
g) I have so many passwords that I keep a log just to control them.
h) I DO NOT leave my DSL modem turned on when not being used.
i) I limit my time on the Internet to just the essentials.
j) I don't give out any personal info unless absolutely necessary and then I lie as much as possible.
So far, I have not had any serious problems.

 

[Wolfchild]

You forgot k though:

k) I have never had the least bit of fun or usefulness on the computer.

 

[firerock]

Yes, passphrase will get cracked eventually, but at least it will be easier for user to change @ any given time and the length of the passphrase will make it harder for hackers to crack it. Compare that to the standard 7-10 character password to some 20 words passphrase. I once lost the password for my winzip file. It was some 8 characters password. I googled around and found a winzip password crack, and guess how long it estimate to find my password........close to 7 days!

Yes, most of OS already support 64 character password, but "empty space" character is not supported and I would love to see ebay, paypal, amazon...etc to support this function as well.

 

[firerock]

L) stop surfing those prono sites or crack sites

 

[Wolfchild]

L is no kidding though. Wasn't a crack site but I went to a game cheat code site a year or two ago - took me a whole day to track down the slippery malware that got installed, it kept changing itself. Took about five steps to get rid of it, registry edits, etc. Symantec had directions for removal but the makers of the malware had already changed it again, if I remember I googled a more recent removal tool and then followed the rest of Symantec's directions. Some people should be shot...