ELI5: If I enter a password wrong thrice, the system locks me out. How are hackers able to attempt millions of combinations of passwords without the system locking them out?

Read the Story

Show Top Comments

* Modern passwords work by a process called “hashing”. * Hashing basically means: * you take some input, like the characters someone enters for a password, and you shove it through a machine. * That machine then spits out some new string of characters that doesn’t seem like it has anything to do with what was shoved in to start with. * But the trick is that it does have some sort of connection. * The only way to get that specific output is to feed in that specific input. * So when you sign up an account with a website, they take the password you made up, shove it through their hash-machine and then store the output. * So even if they get hacked, the hacker will only get the hash, not the password. * But when you go back to the website and enter in your password their hash-machine will spit out the correct “hash” and since it matches with the one linked to your user name, they let you in. * However, if a hacker was able to steal a complete list of all the hashed passwords for a site, they could build their own hash-machine and just start trying every possible combination of inputs to see if one of them spits out a hash that was in the list. * This would allow them to make as many attempts as they want without running into the rate limit on the website. * This is typically not easy to do though. * So most hackers actually just try to trick you into giving them your password. * Like sending you a link on Facebook that looks like it leads to a login-page when really it’s a fake website that just copies whatever you type in the password box. * EDIT: Updated to more directly answer OP’s question.


Many answers here are tackling how attackers use leaks and phishing to accomplish this, but I do want to highlight one frequently used brute force method: There is a very common attack vector called “password spraying”, which essentially uses a set of common passwords (iloveyou, password123) generic to everyone and/or personalised ones (firstname123, email alias, phone number, etc.) to see what accounts they could get into. The key is that you can set up password attempt limiting in two ways – * absolute attempts: no matter who is trying to sign into an account, lock it up after x attempts. This means that if you tried to sign into your account with a wrong password from your phone twice, then from your laptop once, it would lock you out of your account. Many high security financial apps have this. * relative attempts: they lock your device out, but not the whole account. Websites use information about your device (e.g. from your cookie), session, IP, etc. and just lock you out from that attempt. While this works against manual hack attempts, like your boyfriend trying to log into your messenger account, it doesn’t protect much against automated hackers. All a hacker has to do is reset their proxy to a new location, clear their cookies (both of which can be automated in a matter of milliseconds), and try another set of passwords as part of a new attempt. Most social media accounts that are optimised for access rather than security use versions of this, with varying levels strictness of how they define a new login attempt. But in any case – use good, strong passwords. And don’t use the same one everywhere – some websites are incredibly easy to crack or reverse engineer so your security online becomes dependent on the weakest link. **edit: to add a bit more context on spraying, these attackers don’t typically try a bunch of passwords on a few accounts. Instead they try a limited set of common passwords on a bunch of accounts. It’s incredibly easy to buy dumps of registered email addresses – I’d bet that at least 3% of them have a super common password.


They’re not doing it that way. If they’re attempting password combinations, then they already have a copy of the password database file, with encoded (hashed) passwords. Hashing algorithms are no particular secret, so what they;re doing is taking a word, hashing it, and comparing to the database to see if they have any matches.


This method of trying millions of password combination (known as brute force) is NOT widely used. It is not an efficient (if practical) way of getting login credentials. It is used in unlocking zip files where you aren’t locked out. You can always use Proxy, VPNs but that will slow things and impractical in lot of cases. AFAIK Most used method of hacking social media and related things is Phising and Social Engineering. Edit: grammar fixes


The answers given so far all seem to be correct, but appear to answer a different question than the one asked. You are 100% correct that if attackers use the same website/system to attempt a login, then they will also get locked out too. Consider this flowchart/steps needed to login 1. Type details into your web browser and click submit 2. The web server computer receives this data and decides whether to continue or not (e.g. auto reject if you’ve tried too many times) 3. The web server computer then communicates with the database server computer to see if the data you submitted matches the data they have stored (I.e. username/password/email address/whatever) 4. The database replies with the relevant information/data for the web server to use 5. The web server computer then responds to the user with the relevant response (e.g. “no” if it doesn’t match up) What if you could trick step #2 into always allowing you through, or what if you could skip around steps 1+2+5 and have the database respond directly to you? The first way around this is to figure out how they determine “repeated attempts to login” (i.e. step 2) – e.g. they might be counting the number of attempts coming from a specific computer/IP address etc, in which case they will just use lots of different computer to get more attempts (e.g. a network of remotely/robotically controlled computers – a botnet). This doesn’t work if they’re counting the number of attempts to login to a specific account though as it won’t matter WHERE the attempt came from, just that an attempt was made. Another way around it is to bypass the checks/counting. Wherever the counting is taking place, if you can avoid that then you no longer have a limit on the number of attempts you’re making. One option might be to find some way to reset the counter, but in practice this typically means getting direct access to the database and running your attacks against that. When you have direct access to the database (either the live one with protections bypassed, or a local copy of it that you downloaded) then you have as many attempts as you want/need. Other answers go into substantial detail about what is normally stored within the database and how that is attacked, but that is mostly irrelevant when considering the number of attempts made.