This is a particularly risky password management technique. Even if you have a random 28-character password with mixed alpha-numerics, capitals, and symbols, if somebody finds
out what that is, all your sites are available for invasion.
Search their computer. Do quick search for folders that might be named "accounts" or "info," or in case they're really not so good about security, a folder named "passwords."
- Examine the contents of any folder you find that might contain the necessary info. If the passwords are for specific accounts, and there is more than one account listed, you will have an idea about their password scheme.
- If all the passwords are the same, they're probably the same for all their accounts.
- If all the passwords are just slightly different, such as "account A: paSSword1; account B: paSSword2," etc., you can extrapolate from that pattern.
Click on the forgotten password link. Most sites have this right next to the password entry field, and usually it's a simple matter of retrieving the email that is attached to that account.
- If you are at the computer of the person whose account you're trying to hack, you can open the email, and will either be given the password, or the opportunity to reset the password. Click on the link, and follow the guidelines.
- Remember to delete the email when you're done.
- If the account you hacked (or the browser) allows you to save the password, then do so: your target may not discover they've been hacked for a while.
- If your target password-protects their email, or goes to an email provider that is not immediately apparent—such as Yahoo Mail, or Gmail, you may need to do some sleuthing.
Take a guess based on common practices. People are creatures of habit, and don't want to have to think too hard to do repetitive tasks—tasks such as entering passwords. As a result, we tend to use words that are easy to remember. The trouble is, they're also easy to guess. Below are some of the worst offenders[1]. Feel free to wince if your own password is on this list:
password
12345678 (or however many digits are required)
monkey
letmein (or in leet, l3tm31n)
trustno1
master
welcome
ashley
ninja
Jesus
mustang
Password (many people use this one)
Try any of the above, capitalizing either the first letter or the last, or adding an exclamation mark at the end.
Take a guess based on personal information. Try their birthday, their zip code, their lunch number, the names of their family or pet, favorite author, or anything else you think might be important to them.
Ask them. There's nothing like the direct approach! Make up an excuse for why you need their account or why you need to log in. If it's a good friend or a family member, they will probably give it up without asking.
Be a detective. Watch them the next time they type in their password, set up a hidden camera, or install a key-capture application to catch what characters they're entering.
There are even smartphone apps under development that can sense the strength and frequency of vibrations, and translate that into the correct keystroke.[2] In theory, you could set your phone down on your target's desk, what they type will be recorded for you to review at a later time.
- If that's the case, you'll want to have a very good reason for violating their trust, but there are situations where that's exactly what's needed.
Be a detective. Watch them the next time they type in their password, set up a hidden camera, or install a key-capture application to catch what characters they're entering.
There are even smartphone apps under development that can sense the strength and frequency of vibrations, and translate that into the correct keystroke.[2] In theory, you could set your phone down on your target's desk, what they type will be recorded for you to review at a later time.