The easiest way to get a password is just to ask for it. Most ISPs will tell you what a persons primary email password is or reset the password without too much hassle. Sometimes they will ask for a security phrase (e.g. your favourite colour or mothers maiden name) or a billing account number and or address (a little dumpster diving) and sometimes not at all (many an ISP chicken couldn't care less). Once you have gained the email password, you will most likely be able to access their web hosting server as well (they rarely change the FTP password). You can then order domains and have them hosted on their account as many business ISP accounts rarely query their billing account. You can then setup up criminal Phishing websites and spamming operations with very little traceability. Then you can go around and try your hand with some of the big retailers such as Amazon, Ebay etc, or just perform a password reset with these companies and capture those details using webmail in real time.

All because someones favourite colour is blue.

http://en.wikipedia.org/wiki/Gary_McKinnon

Even Gary was able to access high level Pentagon and NASA servers by writing a simple script to scan .mil web sites for UN=Admin and PW=NULL. He apparently was quite successful and wouldn't have even been caught had he used a Laptop and an unsecured Wireless Access Point (remember to spoof your MAC address and factory reset the unsecured router when finished) instead of a dial up connection. So it just goes to show that even a basic password such as 'qwerty' is better than none at all.

Wireless WEP encryption is basically useless and can be cracked in minutes using a netbook. All the other wireless encryption protocols are design to be cracked by the likes of the NSA and GCHQ using portable custom ASIC logic machines.

The local university offer graduate degrees in hacking and countermeasures, where they practice walking into businesses as the computer geek (nobody is interested in the computer geek ) .