Hacked - Episode 3: The Problem with Passwords
Episode Date: December 1, 2015We explore how easy it is to turn a jumble of characters into something useful. Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
A few months ago, a phone rings on the desk of an operator at Verizon.
It's a routine call from one of their technicians in the field.
The tech's tools are down, and he needs to confirm that the customer he's meeting with is who they say they are.
The technician provides his employee ID, and Verizon gives them the customer's info.
It's the basic stuff, the customer's account number, email address, a backup pin,
and the last four digits on his bank card.
The call ends.
Just a few minutes later, in a different office in a different city,
A tech support employee at AOL's email department gets a call from a guy named John Brennan saying he's been locked out of his email account.
AOL needs to verify who he is, so they ask a few security questions, the kind you've probably been asked for in the past.
Things like the name and phone number associated with the account and the last four digits on his bank card.
Everything checks out, and they reset John's password over the phone. Have a nice day.
So if you're paying attention, you might have guessed where this is going.
That Verizon technician didn't actually work for Verizon.
The employee number he provided was fake.
And it was all done in an effort to get Brennan's personal info from Verizon
so they could then turn around and use it to trick AOL into thinking that they're Brennan.
This is called social engineering, and it illustrates one of the many, many problems with passwords.
They're only as secure as the people who house them.
Social engineering is common.
It's a crazy common.
So why am I telling you about this one particular instance?
Because John Brennan isn't just anybody.
He's the director of the CIA.
And the people who hacked him, they were high school students.
My name is Jordan Blumen.
And I'm Scott Weinder.
And this is the problem with passwords.
In this episode, I've hacked.
Okay, so what is a password?
A password is a way of proving that you are who you say you are.
You go to a website and you type in your name.
You say, I'm Jordan.
And the website says, okay, prove it.
Tell me that thing you told me the other day.
Right.
It's a level of authentication.
You're authenticating who you are.
Exactly.
So if I was trying to pretend to be someone else on that website, where would I start?
Well, that's a good question.
So if you're trying to authenticate as a user and you don't have their password,
you have to start looking at how you can get their password.
or make up their password.
So, you know, one of the oldest forms of attack was something called brute forcing,
which was repeated attempts at logging in as somebody using a different password every time.
You're talking about guessing.
Yeah, essentially, mass guessing.
But the real problem with that is is just such a big space.
So, like, if you consider an eight-character password and say there's 60 possible characters,
so, you know, you've got uppercase, lowercase, and numbers,
That's about 2.6 billion guesses you have to have to cover the full state space of how many passwords you could have.
Isn't that the kind of problem you could just point a computer out though?
You can say guess, guess over and over again as fast as you possibly can, powerful little computer.
Yeah, yeah, and that's kind of how it was done.
But like if you think about something like your iPhone or your phone, when you mess up so many login attempts now, they freeze you out.
And this is a kind of a protection that's been put in place to stop people from guessing.
Right. That's kind of where the CAPTC came from, probably.
Yeah, CAPTCHA, robots, you know, max number of attempts before they put a time delay in it, things like that.
You know, people are very aware of that. That's a very old style of attack.
And there's a lot of protection against it now. And it's easy to protect against.
So if guessing doesn't work anymore, where would a person start?
Well, people still guess. They just guess differently now.
Like your biggest vulnerability now isn't with somebody randomly guessing your password.
You know, that very infrequently happens.
Something that would be much more common is that they get a hold of your password, in quotes,
in the encrypted form after a breach of data from some website or some service that you use.
So if they get a hold of my password but it's encrypted, isn't it safe?
Yes and no.
It's safe in a sense that it's big.
being encrypted or it's been hashed.
So what that means, you know, is a bunch of brilliant cryptologists came up with essentially
a one-directional encryption.
So something that modern computing power can't actually decrypt in any kind of reasonable
amount of time.
So what they do is they literally take your password or your token of authentication and then
hash it.
So they run it through this one-directional thing, which turns, you know, your little password
of six to eight characters typically into, you know, third.
32 or 64 characters that nobody can really decrypt.
So going back to your question about guessing, now what people do is they guess what your password is,
encrypt it, and then compare the encrypted version of their guess with the encrypted version of your
password to see if they match.
But wouldn't that still require billions and billions of guesses?
Yes and no.
We go back to your password.
We go back to how passwords have evolved.
You know, 20 years ago, your password could have been the word password,
and 99% of websites and services would have taken it.
If you tried to use that as a password today, this site won't take it.
They'll tell you that it's too weak.
It's not long enough.
It's not this.
Everybody's seen these annoying pestering messages when they try to create a password
because the system is actively trying to prevent you from having a bad one.
but there's an issue because all of these passwords kind of enforce these new rules you know there must be an uppercase character there must be a number there must be one non-alphanumeric character which means like a quote space underscore but the issue has become that people have started statistically doing the exact same thing so there's patterns emerging so when you're told to put a
an uppercase character and you put it in as the first character.
When you're told to add a number, you add it at the very end.
So at the end of the day, your password is very similar to what it was.
It's just that you followed this pattern of changing it, that almost everybody does
the exact same thing.
And the problem with that is, is that it makes the guessing less difficult.
All the things that you do that you think are clever, the hacker at the same time knows
that you're doing. So when they look at what your potential password, you know, state space could be,
how many potential, the 2.6 billion guesses, they can pretty much isolate it down and be pretty
confident in their guessing by taking, you know, every word in the dictionary and applying a set
of rules to it being capitalizing the first ones, adding numbers to the end, or doing something
like elite speak conversion, which is another thing that people commonly do, which is replacing
O's with zeros, E's with threes, A's with ats, S's with dollar signs.
You know, these are common rules that I don't want to say hackers pretty much invented,
but they kind of did.
So you narrow it down for them by following the same trends in making a password that everybody else follows.
Right.
So I can take a basic word list, you know, let's call it 400,000 words.
run that through a processing algorithm that's adding capitalizing, adding digits, adding alphanumerics
where people would expect, doing lead-speak conversions at different levels, so just replacing the O's,
just replacing the E's, replacing both the O's and the E's.
And I'm generating wordless, you know, in the millions of password ranges.
Let's say I generate 10 million passwords.
those 10 million passwords will be great at guessing people's passwords.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agentic system.
powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions
and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events
every week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training.
data. And the result is the new Aurora agent SOC. It's the first SCC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every
AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually
looks like, go to arcticwolf.com slash hacked.
So let's walk through like a hypothetical instance of this.
One of these big websites like a Sony or an Ashley Madison or something has a
Massive leak. All of their passwords leak out, but they're encrypted. So this giant table of all these
encrypted passwords comes out. Where would you start? Where do you find that wordless? What does that look like?
What does that process play out as? Well, it really comes down to what algorithm they hash them in.
So, you know, was it MD5? Was it SHA 1 or Shaw 1? You know, there's a bunch of different
hashing and encryption algorithms. And that's kind of the first place you start. But the beautiful thing is,
is that most of these algorithms are identifiable.
Like when you see an MD5 hash, you'll know it's an MD5 hash.
It has an exact output set, and you'll know it when you see it, if you know what it is.
So that's kind of the first thing that you identify is what is encrypting these things.
The next question then becomes, is it salted?
Okay, so what is salting you probably are asking?
So as we said earlier, when you type in your password into a site,
What they do is they take that password and they hash it.
They run it through a one-way-only encryption.
And the only thing that they keep on file is this jumbled-up encrypted version of the password.
So the next time you go to log into that same site and you type in your password,
what they do is they just hash whatever you've typed in,
and they compare that against the hash version they have on file.
So what salting is, is it's adding another step.
With salting, when you make up your password, before the site encrypt,
encrypts it, they add a bunch of stuff to it. It's stuff that only they know. Say hypothetically,
they would glue to the end of it 64 random characters that, again, only they know. They've
salted it. So why would a website do this? So if it's an unsalted password or unsalted hash,
I can take any word list, run it against the hashing algorithm and get the exact same output as
your password would be stored in.
But if it's been salted,
I have to go another step.
I have to encrypt my word list with the salt.
Does that make sense?
I think so.
So far we've got,
company has a leak.
All of the user's passwords hashed
and maybe salted have been leaked out into the world.
The hacker who's trying to unencrypt them
has figured out how they were hashed, then what?
Just add to the salted thing briefly,
and then I'll get to your question.
Something like the Ashley Madison League,
the hackers that release that data clearly had, you know, expansive access.
They had email accounts.
They had server access.
They probably had source code access, which would have showed them the salt.
So there's ways to get the salt.
The salt isn't guaranteed to be protected, but it is a great level of security.
And it applies to something else that I'll talk about in a bit called Rainbow Tables.
So you've now got this massive database export of the user table.
You know, it's got your name and your username and your password and your email.
But the password is encrypted.
But the password is been hashed.
What you can do is literally take that password list and brute force it.
Run it against wordless.
If you've got a dictionary file that you've built or used or made, especially if you know the website's rules for password generation.
So when you go to create an account, if it won't let you have on a password less than six characters,
You know you don't have to test it against passwords less than six characters.
I have seen websites that have maximum lengths,
which just comes down to laziness in your database configuration often
and probably an indicator that they actually save the text version of your password.
But you take this massive data list of usernames and passwords,
and then you can just essentially barrage it with data.
Data from this giant word list.
Yeah.
So where does one get a giant word list?
Is it just a dictionary, or do those words have to be catered to the way people make passwords?
Yeah, there's tons of them, and they're publicly available.
But then there's, you know, as I previously mentioned, rainbow tables, which are essentially massive hash-specific or password-specific or salt-specific, because they actually make tables that are specific to certain salts that are commonly used by,
things like Wi-Fi access points.
Anyway, these massive tables called Rainbow Tables, which are pre-computed hash tables.
So instead of it just being a word list and then your brute force attack has to like grab a
word, hash it, and then compare that hash to the password list, these are already hashed.
So there's no time needed to hash it, no algorithmic thing.
It's literally just doing string-to-spring comparison.
They're actually optimized.
They use a bunch of algorithms to actually.
to actually not use as much space and optimize look up inside of them.
So you can test millions and millions and millions of passwords a second.
If it's testing millions a second,
how big a list of potential passwords are we talking about here?
Like terabytes.
Of just text?
Of binary optimized pre-hashed tables, yeah.
That's a lot.
Yeah.
But when we're talking terabytes, we're talking every key on your keyboard that could be used in a password to, you know, from password lengths of one to password lengths of like nine.
But literally how many passwords in the world does that cover?
Right.
Almost all of them.
Like, think about all your passwords.
Do you have any that are longer than nine characters?
Probably not.
So then you're vulnerable.
that one rainbow table that's ultra-high speed, ultra-optimized to crack your hashed password.
If you were in the Ashley Madison database and they were unsalted passwords, comparing that against, you know, one of those massive tables would probably generate, I don't even know, I'm going to ballpark 75 plus percent of the passwords.
Which if it's, you know, I'm just making up numbers here, but if that original list was like 10 million people, who cares if you?
you didn't get the other 25%.
Yeah, precisely.
Okay, so this person's sitting there,
they've pointed this crazy rainbow table
at these hashed passwords,
and they get 75% or 60% or 50% back.
Got this giant list of emails and passwords.
Those are emails and passwords for a site
that they know has been hacked.
Are they of any real use to them?
Absolutely.
If you've got somebody's email address,
and their password.
So let's say Jordan at hackpodcast.com
was in the Ashley Madison hack.
You say that email so much,
some terrible, terrible noise is going to happen to it.
And let's assume that we've cracked your password.
What do you think the probability is
that that password is the same one you use on your email?
Probably pretty high.
A lot of people only use one password,
or two passwords maybe.
and that makes them incredibly vulnerable.
Just writing some scripts,
I could take the output of the Ashley Madison brute force
or like my password cracking on their database
and literally trial log in to all of their mail
and see which ones I got into.
I could automate that if I wanted to.
And once you have access to email, it's a whole other world.
Right, because,
As we heard in episode one of Hacked Podcast, once you have access to someone's email, you can kind of just pretend to be them.
Your email inbox has taken on a weird form in the internet today.
It's become your keychain.
You know, you carry this thing around in your pocket, and it's got your house key, your car key, your bike lock key.
Your email is now that every time you create an account with any service on the internet, really,
the first thing they ask for is an email address.
And the primary function of that is password reset.
So if I ever get access to anyone's email,
especially if it's something that has full text search,
in 20 seconds of searching,
I know what accounts are associated with that email address
and I can reset their passwords.
So once you get access to someone's email,
you've got access to all of their accounts
that are associated with that email address,
which makes email incredibly powerful.
So the lesson is you should probably have a different password
for your email than everything else.
Absolutely.
The way I do it is I have tiers of passwords
and I protect my email at the top of that list.
My email passwords are my primaries.
They're my most complicated.
They're very difficult, and I don't use them anywhere else.
Because there's no way I want somebody to have my keychain and know my house address.
And that's literally what it is when somebody gets access to your email.
So I protect those above and beyond anything.
And then I typically have a tier two for social media and other front-facing things.
You know, any kind of public presence that might be a little bit more popular, you know,
people might see and want access to it.
Like I know a bunch of Twitter accounts
over the years have come into
massive hacking engagements like at Matt
and there's a bunch of other examples.
So yeah, so the social media ones I typically
like keep as a tier two password
and then I have tiers three and four
for things like Reddit
and weird esoteric web forums
for things that I like and hobbies that I have.
So yeah, so I keep layers of passwords
so that if any one site gets compromised
or any one thing, I reset
the passwords in that layer.
Because expecting somebody to have
100 passwords is, I think,
unreasonable.
Ever feel like cyber threats are evolving
faster than anyone can keep up?
Last year, 2025 was nothing
short of a record-breaking year for major breaches,
from sophisticated ransomware
operators to AI-enabled attacks
that turn defenses on their head.
Organizations around the world saw headlines
they never expected and cybersecurity teams
were tested like never before.
But here's the thing.
These incidents
aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded,
and most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fear-mongering.
It's practical.
actionable intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
So where do things like, say, one password services
that encrypt and make up a unique password
for every site you go on,
where do those fit into this whole thing?
Yeah, I think the concept behind those is great.
But as what was recently shown, you know,
actually recently, like very recently,
somebody hacked last pass.
They found exploitations in it.
They found holes in it.
They found ways that it was vulnerable.
And the problem with that is, is that that is actually your key chain.
And it's still vulnerable like your email.
Because a lot of those systems, because they are commercial consumer systems,
you know, they're not like key encryption.
Like if you forget your password for your key,
your private key in encryption, it's gone.
You're not decrypting anything.
But things like last pass and one pass,
these services still require, if they get a phone call from my mother at 1130 at night saying,
I can't log in.
They still require the ability to go, it's okay, and help that person out.
So they're kind of not as tight and secure as other things.
So there's still issues with them, but they are kind of a novel concept.
I don't use them, but they are a novel concept.
Would you recommend them?
No comment.
Okay, so tears of passwords.
Those are good for, you know, saving yourself in the event of, you know,
somewhere, some site that you've logged into has a massive leak.
But the story at the top of the show, that was social engineering.
Someone like John Brennan, that wasn't a guy whose password leaked out somewhere.
That was someone who went after him.
They went after the holes in the security that you just described,
the website that gets the call at 11 p.m. from your mom.
How do you protect yourself against those holes in security?
I don't want to end this show like we ended the last one and frighten everybody.
Scott, do it.
So I will say it's really tough because there's a lot of really high-profile hacks that have happened in the last, you know, five, ten years.
It had nothing to do with decrypting people's password.
They had nothing to do with, you know, kind of spoofing somebody's email and taking over control of their online life.
They had nothing to do with those things.
They just have to do with human error somewhere that you've trusted.
and that's almost impossible to get away from.
And social engineering will certainly be a topic of a future episode
because there's some amazing things that can be done
and have been done with social engineering.
And when I say amazing, I mean amazingly illegal.
But there's really no way to protect against human error
from people in the chain.
Like we have such basic identity verification systems now.
You're like, I'm pretty sure that I could figure out your mother's maiden name
in less than five minutes.
you can figure out mine in probably less than one minute.
And that's a common thing.
Like, how is that I'd verify who you are?
The fact that you know your mother's maiden name.
And as long as we keep such low bars to jump over, people will jump over them.
Do you think that more of these giant really well-publicized hacks
are going to be the thing that forces the people who keep us safe online
to raise that bar a little bit?
Yeah, I think, you know, there's a ton of research going to,
into this into figuring out ways to create a real password like a better alternative to the
password and a better alternative to verification of identity you know and that's a big problem is
you know things like google and a lot of other major systems now offer something called a like a
two-stage authentication even steam i think does it like the video game provider where you log in with
your password and they'll send you a text message and
then you have to verify from your phone that it's actually you.
Or Steam has an app that will pop up a notification saying somebody's attempting to log in from this computer, this IP address, is this you?
And if you say yes, it'll log them in.
Systems like this have become the kind of the holy grail solution to adding at least one more bar to jump over.
They're not 100% secure, but they're definitely far more secure.
How long until Facebook takes a blood sample?
Good question.
Good question.
So we just want to apologize for the giant delay between episodes two and three.
I was on vacation and then Scott was on vacation and then I was sick and then Scott was sick.
And now we're both kind of healthy-ish.
Kind of sick-ish, as you can tell by the deep rasp in my voice.
You sound really sultry.
Thank you.
Cool.
So we just want to thank everyone who's still tuning in for being patient with us.
We hope to have episode four at you guys coming up pretty quick.
Yeah, we're going to try and get episode four.
back to back so next week hopefully.
Episode 4's topic
is very interesting.
I highly recommend you
wait and see.
Don't forget you can write us at
get at hackedpodcast.com
or follow Hacked Podcast on
the standard social media.
Shout out to anyone who
wrote us an email. We always really, really appreciate
that and don't forget to subscribe.
Otherwise, thank you
for listening to another installment
of Hacked Podcast.