Join 3,551 readers in helping fund MetaFilter (Hide)


If my password is great can someone enter my computer and steal it?
August 6, 2014 8:21 PM   Subscribe

OK. I know little about password security. But I have a password that I believe would be extremely difficult to hack. It is in excess of 30 semi random characters yet very easy for me to remember. To the meat of my question. If someone were to gain access to my pc would they be able to decode the *****​*****​*****​*****​*****​*****​*****​**** even though the password is not 'undecoded' on my pc? Hope this is clear.
posted by notreally to Computers & Internet (20 answers total)
 
It used to be possible to get the plaintext windows password with physical access to the machine, by booting from a live cd running a password cracker. This might not be true in recent versions - the term to google for is password recovery.

As an aside, why are you asking this? If you think this is a good password, and want to use it for other stuff as well, this is a bad to horrible idea.
posted by Dr Dracator at 8:30 PM on August 6 [1 favorite]


Not generally, in the terms you put it. Modern password storage systems in widespread use should use the proper security practices. If you input that password into a poorly coded (or malicious) app, it could store the password in a file unhashed, or poorly encrypted, and could then be retrieved by someone with access to your computer. It's a similar risk to use the same password online, where an insecure site could store it in plaintext and later be hacked.

Another risk is that someone with access to your computer could install or connect a keylogger and just intercept your password as you type it.
posted by WasabiFlux at 8:33 PM on August 6


If someone has access to your system, they may be able to install a keylogger which will record everything you type. These can be software-based or hardware-based; the hardware ones I've seen have been little devices that get plugged in between your keyboard and your desktop.

Additionally, the ******** you see on screen is usually just a courtesy to prevent people from looking over your shoulder. If you were to copy the string of ******s and paste it into a text file, you would see your actual password. Don't wander away from your computer with *******s still on the screen.
posted by dorque at 8:34 PM on August 6 [3 favorites]


Yeah, I think they can do it with a key logger. Also, if you use the password for websites, and those sites get hacked, the hackers can get your password. At this point passwords are becoming inherently unsecure.
posted by J. Wilson at 8:56 PM on August 6


I'm assuming that you're talking about someone stealing your computer and trying to decode your password on their own. Some of the commenters mention using a keylogger, which would work if someone briefly accessed your machine, installed such a tool, and then gave it back to you and waited for you to type in your password again.

The ability to steal your password will depend entirely on where (as in what application or system) the password is actually stored in. The least secure applications may show the Asterisks but actually have a plain version of your password in an easily-accessible place. More secure applications will encrypt the password before saving it, but depending on whether anyone has cracked the particular encryption mechanism and shared that knowledge with others.

Short answer: Someone could probably get your password. But the system/application where you're using that password will affect how easily it can be gotten. Although your use of random characters will make it more difficult than it would be if you were using normal words from the dictionary.
posted by FreelanceBureaucrat at 9:17 PM on August 6 [1 favorite]


If someone has remote access to your PC they can get the password from a keylogger, no matter the security of the app or website. Always. Even if it's fancy two-factor authentication. Sorry.
posted by wnissen at 9:20 PM on August 6


if you've ever set up any sites to remember your password, and it's prefilled in the password field with ******, you can use the IE F12 developers tools (or Firebug in Firefox) to change the CSS from "password" to "text", and the ***** gets converted to "hunter2" or whatever your password actually is.
posted by alchemist at 11:24 PM on August 6 [1 favorite]


Even without a key logger, someone with a few minutes in front of your computer can grab the file with your hashed password and run an offline Rainbow table cracker. That's still a brute force attack that won't be able to crack truly random passwords of sufficient entropy, but they are very sophisticated and very fast. "Semi random" may not be good enough.
posted by qxntpqbbbqxl at 11:41 PM on August 6


Depending on where the ************ you are thinking of are, the password IS in fact undecoded on your PC. It's just not visible on the screen, specifically.

For example, if it's filled into a password box on the screen, you can change the CSS displayed to force the password to display. If it's in the saved passwords feature of any major browser, you can make the browser show your password in plaintext. Similarly, if it's another application, it may save your password in plaintext - and anyone with physical access to your computer can easily install a keylogger to record it the next time you type it in.

If you think none of these scenarios are what you're thinking of, more details please :)
posted by Ashlyth at 12:35 AM on August 7 [1 favorite]


I know little about password security. But I have a password that I believe would be extremely difficult to hack. It is in excess of 30 semi random characters yet very easy for me to remember.

Sounds ideal for use as a KeePass master password. If that's all you use it for then keystroke loggers, shoulder surfing or asking you are indeed the only ways anybody will ever find out what it is.

Before you get too excited about how fantastic it is, run it past zxcvbn (note: the tool on the linked page runs completely inside your browser - it specifically does not transmit your password over the network).

A 30 character password with a zxcvbn entropy estimate under 60 bits is probably more typing effort than it's worth, because you can get more crack resistance than that from a length-10 randomly generated mix of lowercase letters and digits.

Also note that all password strength estimators are in fact attempting to do the theoretically impossible, so you should always take their results with a grain of salt. If an estimator says that an apparently strong password is actually weak, you should believe it; if it says that an apparently weak password is actually strong, you should not.
posted by flabdablet at 1:34 AM on August 7 [4 favorites]


Not enough information here to answer the question. As others have raised, is this a Windows password? An OS X password? An application password? Is the system joined to a domain?

If you're using Windows, and if the attacker can get access to your machine in an unlocked state, the answer is yes. The password is stored in cleartext in memory to support legacy remote desktop functionality and can be dumped with a tool called mimikatz.
posted by bfranklin at 4:48 AM on August 7


Generally speaking, if the bad guys gain physical access to your computer no password is going to save you.

If you are concerned about such a thing (your computer being stolen), you should consider investing in software that will encrypt the entire contents of your hard drive.
posted by DWRoelands at 5:58 AM on August 7 [2 favorites]


excess of 30 semi random characters

More than enough now and for the next year. But basically useless if your harddrive is not encrypted.
If your hard drive is encrypted with a sound encryption system (no backdoor, sound mathematics etc.) than you are safe.

A professional may still get access to your computer if the computer is not shut down (e.g. running and encrypted partitions are still mounted). For example he could attack via Ethernet and known weaknesses in apps.

Or this:
http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation (can be disabled in Linux)

Or this:

https://en.wikipedia.org/wiki/Cold_boot_attack (can be prevented by the paranoid with this fix).

But again, with a secure password, sound encryption system and a shut down computer you should be safe.
posted by yoyo_nyc at 6:27 AM on August 7


Thanks a lot everyone. I am going to go with,

"But again, with a secure password, sound encryption system and a shut down computer you should be safe."

But the overall picture I am seeing is not one to make a person feel very comfortable with this password/security thing.

Fortunately my only high security needs are with some Scottrade accounts and my 'super password' is easy to massage and still keep track of.
posted by notreally at 10:02 AM on August 7


Massaging a high-entropy password for re-use is still very much Doing It Wrong.

Use KeePass instead, have it generate and store a genuinely unique high-entropy password for use with each account, turn off browser password storage and sleep soundly.
posted by flabdablet at 10:39 AM on August 7 [1 favorite]


When the military is designing security for systems that they expect might fall into enemy hands, they setup systems intended to destroy the system (from small scale erasing, to electrically shorting and burning out, to small explosions) . They do this because you can't rely on any security system forever when it is directly in the hands of someone interested in hacking your secrets. So if someone has access to your machine, they can probably get your password. If they have access, and then you type your password into the machine afterwards, they can definitely get your password.

In world war 2, the germans enigma machines were excellent encryption for the time. However, they procedures they used to actually use these machines (with a repeated message key) allowed the breakthroughs necessary to decipher the code. So similarly, if you use either the same super password everywhere, or iterations that can be easily derived from it, you are at risk to being hacked again. The most common way your account will be hacked is not someone specifically targeting you. Instead, someone will get a giant password file from a poorly protected and poorly encrypted database, and with the simple assumption that the usernames and passwords there are identical elsewhere can hack many people. Getting access to your super secret password that way, that you iterate across other sites also makes you more prone to hacking because brute force rules can be setup based on any obvious places for iterations in your password (like a number, or some name of a website).
posted by garlic at 11:54 AM on August 7


About what dorque said above:
Additionally, the ******** you see on screen is usually just a courtesy to prevent people from looking over your shoulder. If you were to copy the string of ******s and paste it into a text file, you would see your actual password. Don't wander away from your computer with *******s still on the screen.

I don't believe this to be true. At least not with Windows logins or password fields on web pages. It would be too obvious a security risk.
posted by contentedweb at 1:37 PM on August 7


I just then logged on to PayPal, and before clicking the Logon button I selected the entire contents of the password box and copied that to the clipboard. Here's what Paste does: ●●●●●●●●●●●●●●●●●●●●

So yes, there are CSS tricks that can make a password input field display its contents instead of hiding them but you do have to work a little harder than a simple copy/paste.
posted by flabdablet at 6:28 PM on August 7


I don't believe this to be true. At least not with Windows logins or password fields on web pages. It would be too obvious a security risk.

I stand corrected. I've just checked this on several browsers and several sites of varying levels of expected security-cleverness, and on my Mac's login screen, and the behavior on my system is that it just ignores my Ctrl-C and doesn't update my clipboard. I would have sworn blind that this used to be a security risk, but either I have been wrong all along, or it's been updated sometime in the last, um, decade or so. Sorry for the misinformation.
posted by dorque at 6:55 PM on August 7


If it's a Windows computer, your access is only as good as the password of someone with admin access. If the Administrator, or user with Admin rights, password is cracked, they can change the password to your account. On versions of Windows at least up to Win 7, there are password cracking tools that will reveal the password, or delete it.

Make sure all accounts have good passwords. Re-name the Administrator account. Disable auto-run. Keep the machine in a secure location. As computing power has gotten cheaper, hacking has gotten more efficient, so physical security is pretty important.
posted by theora55 at 5:36 PM on August 8


« Older I'm about to reach age 59 1/2 ...   |  Has anyone stood on line for f... Newer »

You are not logged in, either login or create an account to post comments