Password decryption, or visibility over a network.

I am doing some research into how a password can be hacked. Hacked not in the sense of someone trying to repeatedly guess your password until the correct password is guessed. The case I need to learn more about is how a password can be hacked from memory. I don't wish to hack passwords, only to gain a high level view. Here is my question. .

Suppose you have an "Intranet website" and you have 10 users throughout a company accessing the website. Suppose the users are very security conscious, and do not let others gain physical access to their laptops. Meaning they log into their personal pc with the username and password assigned to each of them. They are protective of their user credentials and do not every let others know them, or find them out by such methods as shoulder surfing.

 Is it possible that their passwords can be hacked  even if a hacker does not have login access to their PC/laptops? If so, how can that be done? The only thing I can think of is someone with network administration skills somehow gaining access to their PC through the network.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mal OsborneAlpha GeekCommented:
In theory, a secure web site should use SSL. With SSL, all data is encrypted while traversing the network.

A hacker COULD set up a webcam and watch users type their password in, or leave some keyboards lying around with a keylogger installed.
If you had said "and they lock their machines at all times, even when they just leave the room for one minute", "hacker" would have quite a hard time, if we assume that the intranet site will not allow plaintext authentication (http instead of https) over the network.

But if they leave their computers unlocked, you'd walk up to one of them and try to launch attacks (attacks that are carried out in seconds, like usb rubber ducky style attacks). If they are local admins, these attacks are carried out easily and will reveal their logon passwords instantly if they are on let's say win7. With their logon passwords compromised, you can imagine the rest of the story.
If they are non-admins, it will be harder and would probably make use of something like keyloggers (in software or in hardware).
Anything is possible. With enough determination, creativity and time. There are many different ways this can be achieved but the level of difficulty is dependent on several different factors. For starters lets talk about some of the tools you might need. To even attempt something like this you would need any of these depending on you approach:
1) Key loggers
2) Network packet capture and analyzers
3) Network remote monitors
4) cameras and telephoto lenses
5) Long range Microphones
6) RF Frequency analyzers
7) dictionary attack software or brute force attack software
8) decryption software
9) botnets
10) a virus
11) NSA access
and the list can go on and on forever depending on how technology savvy and how determined you are.

As for how easily it can be done it depends on how careful the users are and how well the programming and the network security is. If the users are careful there is always the possibility that someone may glimpse the password or that they have written it down somewhere or even given it to their secretary. A little social engineering and research into the individual can allow a hacker the information they need to get the password they need or the access they need to the users computer to install a key logger or other software that may allow them to get the password.  If the programmers have been careless or lazy it is possible that they may not have programmed the site with strong enough encryption or authentication protocols allowing the attacker to hammer their way in or perform a man in the middle attack or decryption attack  (although this last one could take a long time and a lot of processing power to achieve). If the programmers have been careless the attacker may not even need a users password if they can exploit another vulnerability like a SQL injection bug or other that may give them access.

I find that the best way to secure from the possibility of a breach from an attack or password being compromised is by having good thorough secure programming and two factor authentication that requires the user not only use their password but a one time token code verifier that is regenerated every 30 seconds to gain authentication and access to a site or secure system.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.