How to Get Your Identity Stolen in One Easy Step

Ads by Google

I recently found a discarded desktop computer, a Dell Inspiron model, lingering by the dumpster. Anything left next to dumpsters signifies that the former owner wants you to take it. Whoever abandoned the computer wants to do someone a favor. Unfortunately, computer donators don’t really know what they’re actually giving away: Privacy, passwords, security and potentially a great deal of money.

After giving the discarded computer a quick teardown, I put it through a variety of security tests and found glaring problems – problems our readership may learn from.

Stealing someone’s identity doesn’t take a lot of intelligence or even a lot of effort. The bad guys only need you to trust them with your hard drive and a combination of bootable live disks, brute-force password crackers and recovery software can turn your financial and personal life into a living hell.

Initial Observations

The computer itself had a great deal of dust inside of it – suggesting that the previous owner  likely didn’t properly dispose of their data. Upon close inspection, the dust itself had a peculiar kind of texture to it. When hit with canned air, it didn’t immediately disperse the way most dust does. A sure sign that the owner smoked around his electronics.

closeup of fan

For those who don’t know – smoking around computers is a big no-no. Smoke carries with it oil, which adheres dust to surfaces. You can tell the difference between dust from a smoke-free home and dust from a smoker’s. Just put your nose to the power supply exhaust and you can smell the difference.

Ads by Google

Opening the computer up revealed a dust-choked, yet still intact computer. All the primary components were there – motherboard, CPU, DVD drive, RAM and the power supply. This shot was taken after blowing it out with canned air. Notice the dust’s persistence.

fan clogged with dust

The component that caught my eye, the soul of the computer: a hard drive. Getting access to just the hard drive gives an attacker a tremendous amount of power. They don’t really need anything other than the hard drive to launch a penetrating assault into the darkest corners of your personal life. Just two kinds of software make it easier than stealing candy from a baby.


There are about a dozen easy ways to perform a password reset or password recovery on someone’s computer. Ophcrack is a Linux-based Live USB/CD that does just this without any understanding of computers required. Simply download and burn the image to a USB or CD/DVD and boot it on the target computer, just like an installation disk. By default it will attempt to solve up to 14-character long passwords using what’s referred to as a Rainbow Table.

While a brute-force attack attempts to guess the locked computer’s password, a Rainbow Table differs slightly in that it offers a variation on the brute force method, combining a pre-generated table. Here’s a great explanation of how Ophcrack works. In short, it can break passwords very rapidly. Considering that most users don’t use secure passwords, it oftentimes takes a few minutes to work. Actually, even secure passwords don’t last long against Ophcrack.


I want to demonstrate how easy it is for a data-thief to steal someone’s password; it’s not my intent to bypass any security measures. How easy is it? On my own computer (not the discarded computer) Ophcrack guessed the password in 0 hours, 0 minutes and 0 seconds. To put that in perspective, the password didn’t withstand a single second getting hammered with brute force. In short, you can’t rely on your login password to protect sensitive data on your computer, unless it’s longer than 14-characters.

On the positive side of things, Ophcrack can recover forgotten Windows passwords. Also, as a means of providing security audits, the software remains an absolutely invaluable service.


Recuva can undelete data that you’ve sent to the recycling bin, even after emptying it. It exploits a loop-hole in how operating systems erase data. In order to preserve performance, information isn’t deleted after you clear the recycling bin. Although the operating system marks “erased” data for deletion, it leaves it on the hard drive’s platter until it is eventually overwritten with new data. Here’s a shot of what Recuva looks like as it undeletes your data:

recuva snatches data

Data isn’t actually reliably destroyed until the portion of the hard drive it inhabits gets overwritten – several times. That’s why data destruction software oftentimes writes over data multiple times. For example, the Bush-Cheney administration used a special wipe process known as a “seven level” wipe. The method writes over erased data seven times, ensuring that not even data fragments could be recovered, even with techniques such as Magnetic Force Microscopy.

Unfortunately, judging from the exterior of the computer, the individual who generously gifted their computer probably didn’t take any precautions. A tell-tale indicator that someone hastily wiped their data prior to handing off a computer is an empty recycling bin. Most people don’t wipe their recycling bins on a regular basis. And if it was recently wiped, chances are that data still inhabits the computer’s hard drive.

Password Theft

When a thief goes for the Triple Crown of skulduggery, he recovers your hard drive, breaks through your password and then loots your computer of its internally held passwords. The two most vulnerable programs are instant messenger clients and most browsers, which store unencrypted passwords. A nearly axiomatic expression has been to not store passwords of any kind on your desktop.

  • Chrome: There’s several password recovery tools available for Chrome. You may want to check out ChromePass.
  • Internet Explorer: Internet Explorer requires that you use a recovery tool like IE PassView.
  • Firefox: Unlike Chrome, Firefox at least includes a password manager, which you can lock using a password. Password recovery tools do exist for it, though.
  • Instant Messengers: One of the best password recovery tools for instant message clients is MessenPass. It works on a variety of clients as well.

There’s a great deal of software options out there for recovering a password from instant messengers, browsers and other software. Considering that many of us reuse passwords on multiple platforms and websites, thieves getting hold of just one can potentially lead to financial disaster.

What Should You Do?

For those seeking to dispose of their own computer, and for those who find one, perform a multi-pass wipe on it. Ubuntu or Linux Mint are great for performing formats. Also, simply overwriting the original installation may not prevent data recovery attempts, but it will reduce the likelihood of it.

For destroying data, try Parted Magic. Parted Magic includes several disk wiping (and cloning) utilities that include multi-pass functionality. If you prefer another solution, try one of the many LiveUSBs offered in Live Linux USB creator (our guide to LiLi). We have covered several password recovery options. On the other hand, we cannot stress enough how important it is to use strong passwords to protect your data.


If you intend on throwing out an older computer, at the very least, consider using a multi-pass formatting tool on the hard drive. At the most, remove your hard drive from your computer before handing it off. A second point that I wanted to make with this article, is that data thieves only need your hard drive in order to get your passwords. The best precaution is to remove your hard drive.  A third point is that you should be empathetic. If you ever find a discarded computer, take the hard drive and wipe it. You get Karma for doing so.

For the computer in question, I performed a multi-pass wipe. With a free hard drive on hand, I then used it in a Linux-based RAID array and donated the remaining parts.

Did anyone else ever forget to wipe a discarded computer? Or find a computer? Let us know in the comments.

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Awesome Websites
Awesome Websites
421 Members
Hacker Talk
Hacker Talk
300 Members
Windows Hacks & Customization
Windows Hacks & Customization
274 Members
232 Members
Best Windows Software
Best Windows Software
165 Members
Windows Troubleshooting
Windows Troubleshooting
159 Members
Tips for Privacy Obsessed
Tips for Privacy Obsessed
157 Members
Online Security Tips
Online Security Tips
149 Members
Internet Crimes
Internet Crimes
104 Members
Windows Security
Windows Security
74 Members
Comments (70)
  • shortcode70

    In the thread you questioned breaking passwords on a Mac. It’s too easy actually. If you have an installation disk you just boot from that like you are going to install the OS and it gives you an option to reset the administrator password on the computer somewhere in that dialog. It’s been a minute since I had a Mac and had to do that so I can’t remember the exact steps once CD boots but it isn’t a hidden option or anything like that.

    • Kannon Y

      Great tip! Thanks for the comment.

    • RogueDecibel

      Actually it’s even easier, you just need to hold CMD+S when booting, type 3 lines of code and ten you have yourself a brand new admin account.

  • Serendipitous Critter

    O)ppz I was referring to an electromagnet…….
    **This method only works with older type media no good for usb sticks, SSHDs, memory cards punch cards or handwritten notes…… Be careful with your passwords folks.

  • Serendipitous Critter


    either construct one at home or visit a metals yard or someplace

    outcome NO WASTE
    No data
    it’s a win win or a window, but NOT ONE OF OPPORTUNITY
    Help our society avoid gratuitous waste.
    Every time we waste we raise the price on a new one and have to deal with that much more trash – If you donate no one will have to steal to get one……And we wont get raped to get a better one. Just my opinion / religion way of life….

  • jelabarre

    Personally I’ll use a DBAN bootable CD and run either short-DOD or a full DOD wipe. Or, if I can attach the drive to a running system, I’ll run shred with 7 passes and a zero fill. Sometimes I’ll do this even if I’m keeping the drive, because it’s a good way to exercise the drive if I think it’s questionable. How *much* you want to wipe the drive will always depend on the percieved value of the contents. A thief grabbing a home computer is merely taking a chance there may be something usable. If it will take any noticable amount of tome, effort or money to extract data, they’ll move on to another, presumably easier target. A HDD from a bank or military system, on the other hand, is considered to contain more of value, and will be worth more effort. A “short-DOD” wipe should be enough for home systems, full DOD will make you more comfortable if you have time to run it.

    As for destroying drives: considering it’s getting near impossible to find PATA drives now, I’d prefer people would at least try repurposing them. And in teh midst of our current economic depression, not everyone has the cash to cough up for even new SATA drives.

  • 1234

    hulk smash hard drive. hulk don;t want ppl to find pictures already posted on facebook. hulk smart

    i will destroy my old hard drive because i had super secret blue prints, messenger conversation wit nwo leaders, alien invasion details, and the next lottery numbers . what kind of super important info do keep on those hard drives that the only option is to physically destroy them?

    if you don;t want ppl to find out you are into gay furry porn i understand

    • Kannon Y

      LOL, thanks for the good laugh, Banner. :-)

      To answer your question, a thief can steal your identity with just a small amount of the information contained on an old hard drive. For example, if they get your WiFi password, they can infiltrate your home network. Or they can just nab your account passwords that were possibly stored in a browser or instant messenger.

Load 10 more
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
New comment

Please login to avoid entering captcha

Log In