{"id":486,"date":"2021-10-29T03:52:37","date_gmt":"2021-10-29T01:52:37","guid":{"rendered":"https:\/\/infosecscout.com\/?p=486"},"modified":"2023-11-22T13:00:13","modified_gmt":"2023-11-22T12:00:13","slug":"how-do-hackers-get-hashed-passwords","status":"publish","type":"post","link":"https:\/\/infosecscout.com\/how-do-hackers-get-hashed-passwords\/","title":{"rendered":"How do Hackers get Hashed Passwords?"},"content":{"rendered":"\n<p>It is a common thing to hear people complain of fraudsters hacking their accounts. One wonders how possible this is, since most people never reveal their passwords. For many, such acts lead to losing their funds, while others get locked out from their social media handles. But how do passwords get hacked in the first place?<\/p>\n\n\n\n<p><strong>As a whole, your passwords are always stored in a database or backend storage on each website or app you use. Passwords are not kept in plain text, but in hashed format (encrypted one way or another). By using specific attack strategies, hackers may access to this hashed password.<\/strong><\/p>\n\n\n\n<p>In this article, I will give you 5 examples of how hackers can get hashed passwords. They will then use techniques like <a rel=\"noreferrer noopener\" href=\"https:\/\/infosecscout.com\/how-to-brute-force-a-password\/\" data-type=\"post\" data-id=\"56\" target=\"_blank\">brute-force<\/a> or a <a rel=\"noreferrer noopener\" href=\"https:\/\/infosecscout.com\/what-is-a-rainbow-table\/\" data-type=\"post\" data-id=\"472\" target=\"_blank\">rainbow table<\/a> to decrypt the weaker passwords in the database.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/infosecscout.com\/how-do-hackers-get-hashed-passwords\/#5_Ways_Hackers_Can_Find_your_Passwords\" title=\"5 Ways Hackers Can Find your Passwords\">5 Ways Hackers Can Find your Passwords<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/infosecscout.com\/how-do-hackers-get-hashed-passwords\/#SQL_Injection\" title=\"SQL Injection\">SQL Injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/infosecscout.com\/how-do-hackers-get-hashed-passwords\/#Phishing\" title=\"Phishing\">Phishing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/infosecscout.com\/how-do-hackers-get-hashed-passwords\/#Brute_Force_Attack\" title=\"Brute Force Attack\">Brute Force Attack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/infosecscout.com\/how-do-hackers-get-hashed-passwords\/#Malware\" title=\"Malware\">Malware<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/infosecscout.com\/how-do-hackers-get-hashed-passwords\/#Exfiltration_leaked_data\" title=\"Exfiltration (leaked data)\">Exfiltration (leaked data)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/infosecscout.com\/how-do-hackers-get-hashed-passwords\/#Related_questions\" title=\"Related questions\">Related questions<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/infosecscout.com\/how-do-hackers-get-hashed-passwords\/#Can_I_retrieve_my_hacked_account\" title=\"Can I retrieve my hacked account?\u00a0\">Can I retrieve my hacked account?\u00a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/infosecscout.com\/how-do-hackers-get-hashed-passwords\/#What_can_a_hacker_do_with_a_hashed_password\" title=\"What can a hacker do with a hashed password?\">What can a hacker do with a hashed password?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/infosecscout.com\/how-do-hackers-get-hashed-passwords\/#How_do_I_protect_my_hashed_passwords\" title=\"How do I protect my hashed passwords?\">How do I protect my hashed passwords?<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"5_Ways_Hackers_Can_Find_your_Passwords\"><\/span>5 Ways Hackers Can Find your Passwords<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"450\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/10\/stolen-password.jpg\" alt=\"\" class=\"wp-image-489\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/10\/stolen-password.jpg 800w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/10\/stolen-password-300x169.jpg 300w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/10\/stolen-password-768x432.jpg 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"SQL_Injection\"><\/span>SQL Injection<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>An SQL injection method involves inserting an SQL command into a data plane to alter predefined commands. It uses malicious codes for databases stored at the backend to manipulate information access.<\/strong> <\/p>\n\n\n\n<p>The success of the attack result from exploiting or manipulating the security vulnerability of a web page.\u00a0<\/p>\n\n\n\n<p>An impact comes in the form of giving unauthorized views of users&#8217; details. It also offers attackers administrative rights to databases. In extreme situations, attackers spoof identity or change balances. They tamper with existing data, destroy or make them unavailable.\u00a0\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Phishing\"><\/span>Phishing<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>Phishing is the most common hacking method used by cybercriminals. You probably heard the name before now. It entails disguising malicious content as reliable communication. <\/strong><\/p>\n\n\n\n<p>What happens here is that unsuspecting victims release sensitive information and passwords to fraudsters. Many of the attacks disguise as friendly content, leading users into believing its authenticity.<\/p>\n\n\n\n<p>The possibility and success arise via the use of malicious software. Attackers observe activities on a site, including the navigation of victims. Therefore, they transparently mirror a site and retrieve vital information and carry out attacks. By this means, it becomes easy to hash a password since they see all operations.\u00a0The activities used in achieving successes include:<\/p>\n\n\n\n<ol type=\"1\"><li><strong>Identifying a target.<\/strong><\/li><li><strong>Creating emails or texts that appear genuine.<\/strong><\/li><li><strong>Attaching dangerous links.<\/strong><\/li><li><strong>Use of emotions<\/strong> (like fear, urgency, or greed) to lure victims into opening such links<\/li><\/ol>\n\n\n\n<p>Hacking altogether appears challenging to prevent. However, my recommendation is to exercise extra caution with sensitive information. The truth is, hacking involves intelligent and calculated moves.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Brute_Force_Attack\"><\/span>Brute Force Attack<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>A brute-force attack involves a trial-and-error method. It uses an application program to decode encrypted keys and login information. One fundamental way to carry out this method is by guessing the password. Attackers employ the use of relevant clues.\u00a0<\/strong><\/p>\n\n\n\n<p>For example, most people reuse their passwords, and a previous data breach exposes them. Another means is the use of reverse brute force. Here, attackers take commonly used passwords and try to guess associated usernames.\u00a0Brute force attackers also employ a sort of automated processing. <\/p>\n\n\n\n<p>It allows multiple quantities of passwords to get fed into a system. The idea is to input all possible passwords until the attacker gets the right one.\u00a0<\/p>\n\n\n\n<p>You can read this article to learn more on how <a href=\"https:\/\/infosecscout.com\/how-to-brute-force-a-password\/\" data-type=\"post\" data-id=\"56\" target=\"_blank\" rel=\"noreferrer noopener\">brute-force attacks really work<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Malware\"><\/span>Malware<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>Malware operates by recording every activity on a system. For example, with passwords, hackers design software applications to screen-grab a login process. A copy of the file then goes to hacker central.<\/strong><\/p>\n\n\n\n<p>Most malware takes the form of a screen scraper or keylogger- they also get an existing web browser file containing saved passwords from the browsing history. <\/p>\n\n\n\n<p>The malware then puts a polite request for the browser&#8217;s data encrypted tool to decrypt information. Of course, such requests, that look like the user&#8217;s, appear safe\u2014leaving the system with no choice but to honor the request.<\/p>\n\n\n\n<p>The only way to escape such attacks is through proper encryption. I also advise you to enter passwords rather than trusting your browser for safekeeping manually.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Exfiltration_leaked_data\"><\/span>Exfiltration (leaked data)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>Hackers carry out exfiltration of hashed passwords through leaked data. Once there&#8217;s a security breach on a company&#8217;s database, hacking becomes easy. The next step involves cracking your password.<\/strong><\/p>\n\n\n\n<p>Exfiltration happens when the algorithm for a company&#8217;s website gets weak. Copying, retrieving, and transferring data to another server becomes possible. So, data not adequately protected becomes an easy target for hackers.\u00a0<\/p>\n\n\n\n<p><a href=\"https:\/\/haveibeenpwned.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Here is a tool you can use<\/a> to quickly check if you email address is linked to a recent data breach.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Related_questions\"><\/span>Related questions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Can_I_retrieve_my_hacked_account\"><\/span>Can I retrieve my hacked account?\u00a0<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>As cyberspace and its related technology improve, so do the criminals and attackers. They go after the databases of companies for various reasons. Once you discover the hacking of your hashed password, I suggest you do a variety of things:\u00a0<\/p>\n\n\n\n<ul><li>Change your username <\/li><li>Try resetting all your user&#8217;s passwords.\u00a0 <\/li><li>Change your security question. <\/li><li>Also, recover all your data from backups. <\/li><li>Warn your contacts <\/li><li>Guard against a reoccurrence.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_can_a_hacker_do_with_a_hashed_password\"><\/span>What can a hacker do with a hashed password?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Generally, they access your details and look for information about you to glean. The idea is to get all they can to defraud you or your loved ones. Also, your account becomes an avenue to carry out other criminal activities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_do_I_protect_my_hashed_passwords\"><\/span>How do I protect my hashed passwords?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Use complex words that you can remember (here is a <a href=\"https:\/\/webinpact.com\/password-generator\/\" target=\"_blank\" rel=\"noreferrer noopener\">strong password generator<\/a> I like for this). Try as much as possible to avoid using special dates, pet names, or the names of loved ones. <\/p>\n\n\n\n<p>A password comprising of words, numbers, and special character becomes the idea. Finally, never reveal your password or write it somewhere. Memorize it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It is a common thing to hear people complain of fraudsters hacking their accounts. One wonders how possible this is, since most people never reveal their passwords. For many, such acts lead to losing their funds, while others get locked out from their social media handles. But how do passwords get hacked in the first&#8230;<\/p>\n","protected":false},"author":1,"featured_media":493,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[15],"tags":[],"taxonomy_info":{"category":[{"value":15,"label":"Hacking"}]},"featured_image_src_large":["https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/10\/hackers-get-hashed-passwords-1024x683.jpg",1024,683,true],"author_info":{"display_name":"Patrick Fromaget","author_link":"https:\/\/infosecscout.com\/about\/"},"comment_info":3,"category_info":[{"term_id":15,"name":"Hacking","slug":"hacking","term_group":0,"term_taxonomy_id":15,"taxonomy":"category","description":"Ready to level up? Our Hacking Guides have you covered with step-by-step instructions on using tools like Hashcat. It's hacking made simple and fun!","parent":0,"count":15,"filter":"raw","cat_ID":15,"category_count":15,"category_description":"Ready to level up? Our Hacking Guides have you covered with step-by-step instructions on using tools like Hashcat. It's hacking made simple and fun!","cat_name":"Hacking","category_nicename":"hacking","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/486"}],"collection":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/comments?post=486"}],"version-history":[{"count":5,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/486\/revisions"}],"predecessor-version":[{"id":492,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/486\/revisions\/492"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media\/493"}],"wp:attachment":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media?parent=486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/categories?post=486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/tags?post=486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}