By guessing. If you are using real words that are found in a dictionary then you are susceptible to a dictionary attack where a program try’s to log on to your account using words from a dictionary. Another method is brute force where every combination of letters and numbers are used (aaa, aab, aac…). The longer your password the harder it would be to crack.

Often the easiest way to get someone’s password is to phone them up and ask for it. Last year there was a big fuss when anonymous hacked the emails of a computer security company employed by the US government by doing exactly that.

@Lightlyseared is quite correct. They did it by guessing. I’d add a little detail to that description.
The last part of your email address (after @) tells them the host name to go to, and the first part tells them the account name they can try to log in with. The only thing in the way to getting access to your account is the password.

“Social engineering” like @Lightlyseared describes is what allowed Kevin Mitnick to do many of his hacks. He didn’t lack the computer so much as the people running it. I will neither confirm nor deny that I may (or may not) have gained access to systems based on what I knew about the target; things like their son’s name.

When those don’t work, dictionary attacks and brute force are next… but after trying the common passwords first.

I am assuming by handle you mean username and not email address. e.g. the handle “whitecarnations” and not the address “whitecarnations4788@gmail.com” or some other address.

As an example I will use the handle “whitecarnations” for my explanation, and I will explain it as if I am the hacker trying to hack you. The reason for this is I am operating under the assumption that you are not going to try and hack anyone, but rather are worried about being hacked. Also, I am assuming that the would be hypothetical hacker has no contact with you in real life and no access physically to your machine. So this will maybe help you understand the situation a little better.

If all you have is a user name or handle and not an actual address, then here is how you could potentially try to hack that persons email address.

.

Step 1 – Research:

If someone has the handle “whitecarnations” you could go to yahoo, gmail, hotmail and other email providers to see if “whitecarnations@hotmail.com” is taken by someone. If it is taken, then see if “whitecarnations2@hotmail.com” and “whitecarnations3@hotmail.com” and “whitecarnations777@hotmail.com” or “whitecarnations_art@hotmail.com” are taken. If they are not, excellent! I would now have a good guess what your email address is. However, if they are taken, then any of them could be you and that is no help.

If there is more than 1 email with whitecarnations in it, then you are going to have a hard time verifying what email address is your actual email. In this event you will need to go to google and search for “whitecarnations” and cross your fingers that instead of loads of info on flowers you actually find some info on you. Maybe you joined a forum as “whitecarnations” and told people on one thread that you use fluther, thus allowing it to be verified you are the same person, and maybe you told them all by posting in a public place that your email is “whitecarnations99@hotmail.com” or some other address, if you did, I now know your address, but if you have not done that then I still would not know your address and would have to do more work to find out.

At this point, if I still don’t have your address, then my best bet is probably going to be to stalk you online. I know you are a member of Fluther, and I can see what you are more or less interested in from your profile. I could make a fake Fluther account, start asking and answering questions, and in a few weeks, when I look like a genuine user, just happen to decide to press the follow button on your profile and send you a private message intorducing my self. We talk, I get to be your friend slowly, and one day get your email address when you trust me enough to give it to me.

If you still don’t give me your email address, then all I can do is stalk and wait, but for sake of argument, lets assume I manage to get your email address from you.

Setp 2 – Hack:

Now that I know a little about you and have your email address, I can finally try to hack the account. The first thing to try, as previously mentioned, is to just guess. Based on 5 minutes of google research and a little clicking around on your profile, I would go ahead and guess with passwords like “carolpaint, carolpaint1, CarolMarinePaint9, annie, anniepaint, ilovemusic999, photo, photography, photosaremylife, etc” by entering them manually, you never know a little poke could always be enough. Failing that, and chances are it would fail, I have to basically take the same approach and guess every combination possible. You could use a bot or some automated program to do the guessing, but because of safety features, I will probably still wind up entering in the combinations manually. I have been told there are automated programs for brute force hacking, but am yet to see one working on a modern site with modern security.

As guessing the password is going to be a pain in the ass, the best thing to do again would be to try and trick you. There are a few options for this, but I would probably go with trying to use a key logger. I would basically need to send you an email with a little virus-like software attached. You think im sending you “that video game I told you about”, but really its a program that looks at what keys you press and then reports back to me in secret what you have typed in lately in the form of a text document. I then look for some text that looks like your password, and if I see something like you have typed that looks something like the following “www.hotm DownKey, Enter, whiteca DownKey MouseClick Ilovemusic909” then I would try “ilovemusic909” for a password. If it works then I’m in, if not, keep on waiting for more key logger reports.

If they key logger fails, then I can try to trick you other ways. One other way would be physhing, a similar logic to the keylogger, I send you an email that looks like its from your email provider asking you to log in, but really it is a fake site that just reports your password back to me.

Failing that, I give in. Whatever is in your email is not going to be worth all this effort to me, and I stop trying to hack.

There could be other methods, but I have not heard of any others yet.

@poisonedantidote one common strategy that you didn’t mention is that a hacker will often try to find crappy sites that whitecarnations might be a member of. Maybe it’s a new/amateurish photosharing service with weak security. From there, you can run a program that will brute force dictionary passwords (and their alternatives like 10ve instead of love). A young, or cheesy site is much less likely to have set up the proper protections to detect this type of attack. Once you figure out the password for that site, there is a very good chance that you’re using the same or similar for your primary e-mail account (and also your bank).

@gorillapaws Like this ?

You might find this insightful.

The easiest route is usually social engineering. I lost control of everything online, once, as a result of a social engineering attack. The person called my ISP and told them that he was me. I have a special password on my account which I have set up so that they are not supposed to make any changes to it or release any information unless I give them this password verbally. Unfortunately, my ISP outsources their support to Karachi or something, and the people there have both poor English skills and a complete lack of clues. Somehow the caller convinced the support person to give him the password to my Internet account without giving the special verbal password by claiming he was me, and that I had forgotten my passwords.

With my account password, the person now went to all my various online identities – blog, IRC account, email, message boards, and so forth – and used them “forgot my password” feature which sent the password to my ISP email account… which he now could access.

You are only as strong as your weakest link. And it’s really not all that hard to buffalo someone making 50 cents an hour in Karachi into giving out information they shouldn’t.

Keep your friends close, and your enemies closer

@poisonedantidote Of course I’m not the hacker. There’s been a boom in Craigslist dealing however. The “buyer” will say something along the lines of, “Hello, Am satisfied with the product currently stationed in Germany, need it shipped to Nigeria for my wife on a missionary.” Some shit like that. But usually they first agree to purchase it, and ask, “When can I check it out? or Is it defected at all?” And then I respond with my real e-mail address. I don’t use my phone because they could attack my g-mail account with my phone number. I know how to use Craigslist and would never do a non local transaction. But these fucking Nigerian Scamming Cartels are becoming quite clever. So what do they know about me is my whole name, due to the professionalism of my e-mail address. But one thing I have going for me is that there are only 4 people and a little 5th! on the way with my last name in existence.

@SmashTheState One way to avoid that is to completely decentralize. You might bamboozle my ISP, but nothing ties to it.

But is this actually about hijacking rather than hacking? Just about everybody I know who says their account has been “hacked” by a spammer actually means it’s been hijacked.

@whitecarnations make a new e-mail address just for craigslist. Give that email account a truly unique password, and you should be in good shape.

@gorillapaws I actually did have “phony” e-mail name just exactly for my social media sites. I don’t know when I decided to just merge everything to my name however… Oh the different faces to hide behind on the interwebs…