Column: How hackers bypass login lockout

Q: If I get locked out of my account when I type three wrong passwords, how are hackers able to use guessing to break in?

A: Hackers and security experts are in a constant chess match that never ends. Each move by one party causes the other party to take a new approach.

A couple of commonly used approaches by hackers to break passwords are often referred to as dictionary and/or brute force attacks.

They’re essentially computer programs that can generate millions, if not hundreds of millions, of guesses per second.

The notion that hackers sit at a computer using the same login screens we all use to try to access our accounts is the first myth we need to correct.

Often times, they are using an “offline” attack, combined with automation and breached data, to break passwords on specific sites.

Since the attack is offline, meaning they have acquired enough cryptographic information to attempt to break passwords, they aren’t subject to the password lockout protection.

It gets a bit complicated, but they can just set their computers to compare the specially encoded information against known passwords in what are called “rainbow tables,” which allow them to find matches.

The lack of understanding of how hackers actually “hack” passwords, and the false sense of security caused by account lockout mechanisms, lead to complacency among many users.

According to the Privacy Rights Clearinghouse, 895,605,985 records have been breached from 4,746 data breaches since 2005. Keep in mind, those are only the data breaches that have been made public.

Every data breach that exposes user passwords allows the hacking community to continue to compile huge rainbow tables, so even if you haven’t used a password before, if it’s too common, you’re an easy target.

If the general non-hacking public can get its hands on the top 10,000 most commonly used passwords in 30 seconds on Google, how many passwords do you think professional cyberthieves have compiled?

This is why using the same password for multiple online accounts can easily make you a victim, especially at sites that use your email address as your username.

Complex eight-character passwords are nearly useless in today’s environment; creating long pass-phrases instead is a better way to reduce your chances of being victimized by powerful hackers.

For example, “I Hate Passw0rds!” is much more secure than A8y@q7P1 and much easier to remember.

The longer the password, the less likely it can be broken via the high-speed guessing game, so shoot for at least 15 characters.

You should also assume that your passwords will be compromised by a data breach at some point, so activating two-factor authentication on your accounts will help keep the bad guys out, even if they do get your passwords!

Editor’s note: Ken Colburn is founder and CEO of Data Doctors Computer Services

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up