Q: If I get locked out of my account when I type 3 wrong passwords, how are hackers able to use guessing to break in?
This question was answered on January 27, 2016. Much of the information contained herein may have changed since posting.
Hackers and security experts are in a constant chess match that never ends. Each move by one party causes the other party to take a new approach.
A couple of commonly used approaches by hackers to break passwords are often referred to as dictionary and/or a brute force attacks.
They’re essentially computer programs that can generate millions, if not hundreds of millions of guesses per second.
The notion that hackers sit at a computer using the same login screens we all use to try to access our accounts is the first one we need to correct.
Often times, they are using an ‘offline’ attack combined with automation and breached data to break passwords on specific sites.
Since the attack is off-line, meaning they have acquired enough cryptographic information to attempt to break passwords, they aren’t subject to the password lockout protection.
It gets a bit complicated, but they can just set their computers to compare the specially encoded information against known passwords in what are called ‘rainbow tables’ which allows them to find matches.
The lack of understanding of how hackers actually ‘hack’ passwords and the false sense of security caused by account lockout mechanisms leads to complacency by so many users.
According to the Privacy Rights Clearinghouse, there have been 895,605,985 records breached from 4,746 data breaches since 2005 (http://privacyrights.org/data-breach). Keep in mind, this number only represents the data breaches that have been made public.
Every data breach that exposes user passwords allows the hacking community to continue to compile huge rainbow tables, so even if you haven’t used a password before, if it’s too common, you’re an easy target.
If the general non-hacking public can get its hands on the top 10,000 most commonly used passwords in 30 seconds on Google, how many passwords do you think professional cyber-thieves have compiled?
This is why using the same password for multiple online accounts can easily make you a victim, especially at sites that use your e-mail address as your username.
Complex 8 character passwords are nearly useless in today’s environment; creating long pass-phrases instead is a better way to reduce your chances of being victimized by the powerful hacker guessing game.
For example, ‘I Hate Passw0rds!’ is much more secure than A8y@q7P1 and much easier to remember.
The longer the password, the less likely it can be broken via the high-speed guessing game, so shoot for at least 15 characters.
You should also assume that your passwords will be compromised by a data breach at some point, so activating 2-factor authentication (http://goo.gl/LWF4Eq) on your accounts will help keep the bad guys out, even if they do get your passwords!
(Image courtesy of https://www.flickr.com/photos/132889348@N07)
About the author
Posted by Ken Colburn of Data Doctors on January 27, 2016