Here’s how hackers are able to crack your passwords

(Photo by Tomohiro Ohsumi/Getty Images)

Q: How can hackers try millions of passwords at a time when I will get locked out after 3 failed attempts?

A: Passwords continue to be the primary target of cybercriminals because they represent the “keys to your kingdom,” especially when it comes to your email account.

Online security tools such as Gibson Research’s Haystack tool show you just how quickly any short password can be cracked, but it’s based on billions and trillions of guesses per second.

Tools like this are showing how fast a ‘brute force’ attack can break shorter passwords, which typically will occur offline.

Offline Password Cracking

Your question is a common one because most people assume that password hacking is done through the same interface as we all use to log into our accounts, but that’s not the typical approach.

All of the websites that require you to enter a password store those passwords using some form of what’s known as ‘hashing’. This means that your password is converted into a random string of characters that looks nothing like your actual password before it gets stored on their servers.

As an example, the common password “monkey” in MD5 Hashing will always be stored as “d0763edaa9d9bd2a9516280e9044d885” which is child’s play for a computer to convert back to the original word.

Most offline cracking activity begins after a breach has occurred and the database of ‘hashed’ passwords are stolen and saved elsewhere to be worked on.

Think of it as a bank robber stealing the vault and cracking it somewhere else vs. trying to crack open the vault at the bank itself.

Brute force attacks are essentially a guessing game that pits computing power against the length of your password, which is why creating a longer password is always better.

It’s simple math as every combination of letters, numbers and special characters can be tried in milliseconds if there is…