Password cracking and webmail.

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
According to a website I use: "XXX uses hi-tech software to prevent
password crackers from operating, but most web-email providers, such as
Hotmail, do not. Because anyone who has access to your email account can
request your XXX password, revealing your email address means that
anyone capable of hacking your email account can request your XXX
password. This happens around 300 times a day and in these instances,
there is nothing we can do to help you."

I do not understand this.  When I access my webmail, I type in the
username/password and the page loads.  If the combination is incorrect I
am rejected.

1.   Are there crackers that work on web based e-mail?  I thought you
had to download the password file and crack it locally.

2.   How do they work?

3.   Wouldn't the cracker be locked out after a few incorrect enteries?


Re: Password cracking and webmail.

Quoted text here. Click to load it

Many places will send y ou your password if you loose it. They send it to
your email account on file. Thus if someone can get at your email account
they can request thatthe password be sent to you and then read what the
password is from your email.

Re: Password cracking and webmail.

Unruh wrote:

Quoted text here. Click to load it
Yes, I understand that.  What the website seemed to be saying was that
it is possible to crack Hotmail, Yahoo, etc, through password crackers
and this is that the questions above related to .

Re: Password cracking and webmail.

Quoted text here. Click to load it

Although most things are possible, if it were trivial to acquire
passwords for those services they would not be viable.

Providing ytou do not use obvious guessable passwords you have
nothing to worry about.
Jim Watt 

Re: Password cracking and webmail.

Jim Watt wrote:

Quoted text here. Click to load it

Ah, Jim I believe he asked for an explanation. So, do some googling and
describe to the OP the basics of password cracking. Try not to sound like
to much of a moron, OK?

Re: Password cracking and webmail.

Imhotep wrote:

Quoted text here. Click to load it
According to a different newsgroup there are crackers that work on
webmail, but I don't know what they are and how they would work in practice


Re: Password cracking and webmail.

osfwofujro wrote:

Quoted text here. Click to load it

Well, since Jim Watt has bailed on any sort of technical description (it is
beyond his abilities), I will give it a shot.

Most webmail apps are written with PHP or ASP. Now, I write web apps in PHP
and I do not know or use ASP. Older PHP versions defaulted to using global
varables. This is not a good thing to do as I can inject values for
variables...Take a peak at this web site as it goes into greater detail.

The other way to crack web mail sites is to use some sort of password
guessing. It can be quite usefull if users are not restricted on the
passwords that they construct (ie enforce alphanumeric passwords which are
not based in dictionary words). It generally works as follows:

A password generator (usually based on some sort of dictionary engine) is
used to construct passwords and guess bad passwords. Password cracking this
way has the following problems:

1) Can generate a lot of log messages (again if the app was written
correctly and has logging enabled)

2) Is very slow

3) Good web mail apps will lockout an account or an IP address if too many
password failures happen. Again, if the app was written correctly.

The best way to password crack is to get hold of the password file/DB
dump/etc and upload it locally. This allows you to brute force/dictionary
crack very, very quickly. Etc, etc, etc...

Anyway, that is the very, very basics of it...

Have fun,

Re: Password cracking and webmail.

Quoted text here. Click to load it

from someone with a very basic idea about computers
and none of that applies to Hormail, Yahoo and the other
large webmail services
Jim Watt 

Re: Password cracking and webmail.

Jim Watt wrote:

Quoted text here. Click to load it

Try reading the part where I say "...that is the very, very basics of it".
Notice how I do not talk about any one specific web mail application.

I am still waiting for your description of webail password hacking....we are
all still waiting...Oh but that is right, you are all about talking out
your ass and always falling short on actually delivering something

It seems the best technical description you can give is "don't worry about
it"...hummm seems a little lacking. Seems yet again you have been exposed
for the hypocrite fraud you are....

As for you lame, but predictable attempt to insult me, comment about
"...basic idea..." I would destroy you in a face to face competition
illustrating computer science knowledge and you know it.

Good luck on you anger management classes...


Quoted text here. Click to load it

Re: Password cracking and webmail.

Unruh wrote:
Quoted text here. Click to load it

Many users use the same password everywhere.  Users use names, pets,
streets addresses etc on multiple sites.  Very few users use complex and
sufficiently long passwords.

Some sites have their password files exposed that can be accessed using
for example a telnet session embedded HTML Java page from their free
website host, file may be hidden from the Internet but accessible
directly through their user web server site(there are other methods,
this is just an example). This allows password files to be cracked at
leisure, without provider even seeing traffic, though this would imply
someone was watching.

Many of the free web mail hosts do not set a max tries setting...causes
too many user support issues.

The most common "cracker" I have seen used on Yahoo are simple name
dictionary crackers.  It is remarkable how successful even this simple
method appears to be.

Another method commonly used with Yahoo would be simply to place a
trojan on the machine you wanted using one of several buffer overflow
methods in their older Yahoo versions.  Some of the exploits were
related to JAVA and others with the YAHOO tool itself.  I am not aware
of any exploits in their current 6.0 version of IM however there are
several methods to obtain the victims IP and attack the remote user host
directly with other exploits.

Another method commonly used is posting links in rooms (probably some
sexy sounding girl with pics posted) where an exploit awaited users who
clicked links.  Some of the profile pages had exploits embedded (varied
methods).  Once trojaned getting passwords is easy.

For awhile I found IM exploits in Yahoo an interesting study in methods,
they ran the gambit.  Yahoos password is good for their IM, mail,
portfolio, and other sensitive areas.

They have a difficult time fixing stupid users or compromised machines
which makes their options complex and difficult to manage, so they don't.

What do you expect for free, security?


Re: Password cracking and webmail.

On Mon, 29 Aug 2005 01:12:57 GMT, in , qewjf

Quoted text here. Click to load it

I think that they are using a rather loose definition of "cracker",
but not an unreasonable one. Cracking did mean trying to break the
encryption, but as words change their meanings over time a meaning of
"illegitimately getting your password" is a good meaning as well. My
interest is in the "hi-tech software" claim. Was that their actual
wording? If so, what "hi-tech" solution do they have?

Matt Silberstein

Do something today about the Darfur Genocide

Genocide is news | Be A Witness

"Darfur: A Genocide We can Stop"

Save :: Violence and Suffering in Sudan's Darfur Region /

Site Timeline