The email, dated February 27, 2007, seemed depressingly generic: “I think my gilfriend is cheating on me been together for years and years we don’t live together but need to get her password on msn so i can check her convasations out can you help please.” As the author of a book called Hackers, I get a few such requests every year, though they’re usually not so grammatically warped. As always, I ignored it. Why would I help someone with something like that? And anyway, this guy’s job was depressingly easy, especially if he had access to the victim’s computer. There are software programs, like the celebrated John the Ripper, that can crack common passwords, and there are easy-to-install software and hardware options that log every keystroke. Even without physical access, snoops can often break into webmail accounts by guessing the answers to password-recovery “security questions.”

The most basic form of compromise is the dictionary attack, a program that tries combinations of common words. It frequently works, simply because an alarming number of users ignore standard calls to incorporate numbers or special characters.

Some password-breaking programs have origins in hacker culture, though their creators usually claim to be of the whitehat variety. The purpose, they say, is not to help people ransack their lovers’ inboxes but to perform more benign tasks. “John the Ripper is primarily a tool for system administrators to audit their password security,” says its author, who goes by the nom de crack Solar Designer. Vladimir Katalov, CEO of Moscow-based ElcomSoft—maker of an eponymous password cracker—says his customers are mainly law enforcement agencies going after criminals’ computers or web accounts. If someone armed with his software can access a computer, Katalov claims, it doesn’t matter how complex the password is, because it’s usually stored somewhere in the bowels of the hard drive. “I can get it in half a second,” he boasts.

But it’s not like you have to flash a badge to get such software. Google searches for “password cracking” and “keyloggers” find plenty of solutions, some in paid ads.

Snoops seeking access to someone’s webmail can frequently get in simply by studying their target from afar. All too often, when asked to provide questions that would verify their identities, people use details that are easily discoverable by those who know about them. (The guy who got into Sarah Palin’s Yahoo account in 2008 did so by answering all of her security questions. The would-be vice president had chosen her birth date, zip code, and high school as the skeleton keys to her personal correspondence.)

Still, people can keep their information reasonably safe if they’re smart and diligent. As cryptography wizard Bruce Schneier explains, passwords, like all security measures, involve a cost-benefit equation where we balance vulnerability and convenience. People often underestimate the consequences, but a password attack can point to potentially bigger problems.

A chilling example is the petitioner quoted at the start of this column. His name was George Appleton; I had left his email buried in my inbox. While working on this column, I decided to Google him.

On February 6, 2009, Appleton, an unemployed laborer with a history of violence toward women—many of whom he met online—apparently murdered Clare Wood, a 36-year-old single mother, in Salford, England. The tabloids dubbed him the Facebook Fugitive. Days later, with the police on his trail, he hung himself in an abandoned pub.

Was it Wood’s emails that he sought my aid in plundering? The timeline and email address he showed me suggest otherwise. According to reports, when Appleton wrote me, he and Woods had just met. Nonetheless, four years later, his request—something I’d dismissed with a blitheness that now haunts me—was darker than I’d ever imagined.

Email This e-mail address is being protected from spambots. You need JavaScript enabled to view it .