I was chatting with a particularly astute 15-year-old this weekend (we can call him Jack, just for fun) and the conversation turned to computer security.
We were exchanging ideas about general security topics and Jack asked this question:
“If I type my password incorrectly on a website, it eventually locks me out, but when the hackers do it, they never get locked out. How is that possible?”
At that moment, I realized one of the biggest problems as to why the typical computer user does not worry about password complexity (using random characters in a password) or password re-use (using the same password across multiple online accounts).
It is all a simple lack of understanding about how hackers figure out passwords.
Most people think that the hackers sit at a computer (wearing a black hooded sweatshirt, of course), frantically typing passwords into a website’s login page until they magically guess the correct password before the account lockout takes effect.
Given that scenario, which has been played out in more than one awful hacker movie and television show, it is no wonder that people think that their cat’s name and adoption year are strong passwords. Fluffy2012, anyone?
But there’s a reason why the hackers never lock your account – and it’s through a technique known as an offline-attack.
Here is how the offline attack is carried out:
Passwords are stored in a large file on a company’s server. If the company is practicing good security, those passwords are stored in a form that masks the password behind a numerical calculation, known as a checksum or “hash” value.
When a file containing the passwords or password hashes is stolen from a company (usually part of a larger breach), the file is placed on a separate computer and tools are run on it to reveal the passwords.
Even though the passwords may be hashed, there are tools that can find the equivalent numerical representation of that hash to reveal the password.
Since this is all done on a machine that is not subject to an incorrect password lockout threshold, the tool can run as long as necessary to churn through all the possibilities until the passwords are revealed.
The hackers never need to type the password into the website.
Once the passwords are revealed, they can be sold on the criminal market for varying amounts. The longer it takes a company to discover the breach, the longer the passwords are valid for criminal use.
(Note: Ideally website passwords are salted with a unique value before they are hashed. If phrases like “salted and hashed” make your eyes glaze over, check out this entertaining video.)
Perhaps if we can spread the word about how passwords are stolen and guessed to the general population, we can move closer to better password behavior among the typical computer user. This may go a long way towards removing the hoodies from the hackers’ heads.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
30 comments on “Why the password hackers never trigger an account lockout”
Don't forget that of course there are still people and systems out there that are trying to brute force passwords via the actual login page, and do eventually trigger the too many tries lockout. We see this many times a week on WordPress hosted sites for example.
Hi David (long time no hear!)
Yes, you're right of course. On this site, for instance, I regularly see hundreds of attempts by hackers to brute force their way into my WordPress backend.
Sometimes I almost feel sorry for them as many of the attempts are for usernames that don't exist, and perhaps they don't realise that I have additional protections in place behind the scenes anyway.
I would recommend that those hosting their own WordPress site deploy a plugin which can block multiple failed login attempts, and also introduce a two-factor authentication layer to weed out any unauthorised users.
"Sometimes I almost feel sorry for them as many of the attempts are for usernames that don't exist"
I just laugh at the complete stupidity in it. Odds are the attempts (which they can't even get to because of ingress filtering of services that require authentication on my servers.. but I've seen it and other types of attacks, all of them useless) is a scanner trying to find exploits. But even then, they check for Windows exploits when even basic checks would reveal I don't use Windows (and then I also write about how I don't use Windows.. in fact, I I've made it public what I do use because I contribute some programs [for it]). Add that all up, and you can see it is almost always scanners.
The only problem I have is it is a waste of resources. At least until they are added (automatically) to a blackhole route.
"Even though the passwords may be hashed, there are tools that can find the equivalent numerical representation of that hash to reveal the password."
Don't forget, either, that if the attacker knows how authentication works, they can exploit the hashes in such a way, that they can reveal the password (dictionary attacks for example) in time (and since so many use weak passwords, it is often a lot quicker than you'd like to believe). That is even if it is salted (proof: how does the system authenticate you?). Which is one of the reasons passwords from a dictionary or based on a dictionary word, is a bad idea.
As for complexity:
"about password complexity (using random characters in a password) "
I realise that maybe you're simplifying the idea to the readers (in which case: ignore this because it is rather … complex), but complexity is more involved than simply including random characters (also randomness is a vastly misunderstood concept).
I have an account at PNC Bank and my password for online banking is 150CessnaPln.
Actually, one of the other major reasons is that they try ONE password over MANY accounts. So the account frozen mechanism is never triggered.
I have a password (generation) scheme that initially looks complex, but in fact is very simple.
Think of your favorite song/movie/book/quote/whatever. Then think of your favorite line from same.
For example, my favorite movie is Casablanca, and my favorite line from it is "Here's looking at you, kid".
So, using that, my first character is a capital H. Then I count the number of letters that follow in the first word and add that. So we start with H4. Then I decide what to use for a space. Whatever the website allows is the usual. For the example, I will use hyphens. So now we have H4-. Then I continue the same way for the rest of the phrase and end up with H4-l6-a1-y2-k2 for the password. If your memory is good (mine is not), you can add the punctuation (if the website allows it).
Then for the hint, all you need to use is the name of the movie/song/book/quote/whatever. As long as you aren't singing the same line over and over again, no one is likely to guess your password.
I suggested this same scheme on a non-technical site and the usual "qwerty12345" types were whining about how difficult it was to use it.
I only ask that if you somehow derive profit from my suggestion that I get some of it. I'm an old retired/disabled vet that could use the money.
NOTE: If your "pass phrase" has a single letter, use it and follow it with a zero.
FW, I came up with a similar idea several years ago, using letters and numbers. For example, take the classic typing phrase "now is the time for all good men to come to the aid of their party". Using just the first letter of each word — and substituting a numeral for any word that sounds like a number — you get "nitT4agM2c2taotP" (and I borrowed the idea of using a capital letter for nouns like "time", "men", and "party" from the German language). Great minds think alike, eh?
What is the ONLY reason to change your password? To keep hackers from guesing your password? No, to keep your password DIFFERENT from the one hackers STOLE from the company asking for the password.
The trouble is that forcing users to change passwords regularly encourages them to use sinmpler passwords so it can be counter-productive:
This is true but you don't even need to ask Schneier. All you need is to understand how humans think and act, and know that humans will do almost anything to save time and effort. When you think in those terms, if you have to change regularly, you'll have a way (or ways) to simplify the process. That includes writing passwords down (they might do that anyway but the more they have to remember the more likely they will do something like this). It also includes simpler passwords. I imagine there are many more ways than one would like to believe.
But I think the point was that if a host is compromised, you should make sure your password is now changed. This is assuming that the host isn't still compromised. Yes, that is rather obvious. Maybe I'm wrong though; maybe he(?) does mean regularly, in which case, you're right – it is an outdated policy (and even back then it had serious risks).
The brute force issue has been around since a good while. What the reasoning for not limiting brute force attempts?
This article is describing the classic "dictionary attack" method which works on encrypted password files on older Unix systems. This used to be a very popular attack and was used successfully a number of times in very high profile cases, but that was many many years ago, when you could access that file readily because people didn't know that it could be cracked. Hosting centers and server administrators these days are wise to that method, and you can no longer easily get access to the host's password file like you could in the good old days. So that really is not a very common method for hackers to gain access to your account any more. These days the primary tools are social media sties, where people post all kinds of personal information that is likely to be useful to a hacker in answering "security questions" on a given site to recover a users password. Things like your birthday, mother's maiden name, what schools you went to, etc. Many people use these things as their answers to the site's security questions, making it very easy for a hacker to steal your password.
Not really true that it isn't readily used still. Yes, many systems are configured differently, so that the hashes aren't world-readable but that isn't to say that all are (people still run Windows 9x, Windows 2000, XP, etc. for example even though they shouldn't) or there aren't any ways around it. And one would go after what is easiest to exploit and also most likely to succeed undetected. And this has been done many times in recent years; the hashes are stolen and they are revealed through offline attacks.
You'd be surprised what many systems allow to this day. A slightly related issue: people still – even after so many years (and it was never a good thing to do) of people repeatedly warning just how bad this is – stay logged in as root in case they need it (and/or out of laziness and who knows what else). Consider that if you are naive enough to log in as root for general use, if you run into an exploit (of some kind) that attempts to read otherwise read protected access, the abuser now has access to what the user has access to.
AND since some services run as root, you must think of what those process(es) have access to, as well.
Of course, there are other risks besides security for general use under root, but that is besides the point.
If the hacker can use all those sophisticated tools to figure out my password, does it really matter if my password was Fluffy2012 or RT$#[email protected]&G8$??
It's perhaps more likely that the bad guys already know the hash for Fluffy2012 than RT$#[email protected]&G8$ – or at least their cracking software will.
Even if the bad guys start at the beginning and with brute force work their way up through all the possible 14-character combinations, they're going to find it much quicker cracking poor old Fluffy.
If password files are stolen and the password hash decoded offline then why does it matter how good or random the password was?
Hashes are one way.
You can convert a password into a hash. You can't convert a hash into a password.
What you *can* do is take a gazillion possible passwords and create a hash for each of them. And then do a look up to see if the hash you find in the password file matches one of those gazillion. If it does, you know what the password was.
So, having a complex, long password makes it less likely that the bad guys will have pre-generated a hash for it. Things get tougher for the bad guys still if the site was salting the passwords before hashing them – and if that salt was variable.
It doesn't necessarily make it impossible to crack the password in those situations, but it certainly makes it more time consuming.
I think that the biggest problem is password reuse.
1) Set up an enticing free site that requires you to choose a username and password
2) Collect thousands of username/password pairs; many of those will be used on sites that bad guys might be interested in.
3) Sell them to people who want to be hackers.
Yes, I agree.
Password reuse is a much bigger problem than dumb, easy-to-guess passwords.
If a hacker steals usernames (often your email address) and passwords from a website, then the first thing they're likely to do is see if those same credentials unlock other accounts online.
If you don’t have the nous to steal a password database from a website, just create your own website and invite people to sign up for it. D’oh!
Stop using the same password in multiple places folks!
How hackers avoid lockouts
They script their password cracking program to try the most amount of password guesses before being locked out let say 4 times then they try another username try out 4 guesses and on to the next .They soon come back to the first username avoiding the time threshold of trying failed attempts and try the next set of 4 passwords in their list.
And that means little if they return the same day (or whatever period of time the system considers).
But this article is about offline attacks where they try many, many passwords (e.g. dictionary attack) on hashes, where they don't try to log in to the system but instead figure out what the credentials are. That way, when they do log in, they don't have many obstacles to worry about (if any). They might have multiple accounts and passwords, even. That is most likely the case.
Super computers have been known to be able to guess into the millions (possibly billions) of passwords a second.
Your average home cracker is probably closer to the thousands of guesses per second. That being said, unless you're trying to hack some 5 year old's Minecraft account then no, crackers do offline attacks only.
There's an excellent illustration of true password security from the webcomic 'xkcd', and I'll sum it up briefly- the strength of a password isn't determined by greater variation of each digit, but rather the length of the password. A short, complicated case sensitive password (rU5tY8iK*s) that includes capitals, lower-case, numerals and symbols will be very hard to remember, whereas as a long password that's not case-sensitive and made up of several common words (correcthorsebatterystaple) will not only be monumentally more secure, but also so easy to remember you'll never have to write it down. It's really surprising how little any actual math is used in solving this problem.
Password Less authentication is the way to defeat hackers. Imagine someone stealing server data only to find there is no field called password. just the username which is encrypted using a real time generated password which in turn is generated only from a registered device.
This was suggested by me way back in 2009 but no one cared to have a look at the tech. Well I am happy the market is suffering at the hands of the hackers as I got financially ruined taking this technology to the market with no buyers.
You're neglecting 2FA which is a fairly old concept. What if that device is stolen? What if it is an attacker with access to the device? Then what? Might as well not bother with authentication at all. Removing the password is weakening security because it is removing a layer.
2FA is basically supplementing username/password with another step. It does not do away with the password. A hacker who has complete control over your computer and device is as good as being you. The idea of device authentication is not so much as making a hack proof solution but making life of hackers miserable. As they now need to also need to know which device the user uses. The 2FA such as ones from RSA that were hacked were proprietary devices that hackers could purchase and dissect. These solutions also stored some form of data on the device to identify the user. Reason why they failed.
However if a user uses their own mystery device such as their USB Pendrive (of any make standard or non standard) or even their Mobile Memory Card (which is as good as a USB drive) or a USB blue tooth dongle. Or even a USB keyboard/Mouse.
Hackers will have a tough time knowing which is the device the user is using to authenticate as their password. Besides once the account is access, the user can remove the device from the system.
Only situation where someone can access the account is when a person is too forgetful and dumb. That person does not lock his computer desktop when moving away from the system and also leaves the authenticating device on the desk.
Besides this solution cannot be used by hackers to undertake a mass hacking as is being currently done. Another advantage of this solution is if one looses their authenticating device (which is their password) they can know it on time and call a service number and have it locked and register a new device. However, when a password is stolen one does not know about it unless the account is hacked.
At the backend, there need not be a password field in the database. So there is nothing to hack actually. This solution is deployed by me on my websites invisocial and managemypass.
Cryptoguru, I had a hard time telling if you were being sarcastic or not, but I think they already have that technology available and in place with two step authentication via keyfob. Log in with your username, password, and randomly generated one time passphrase or number sequence in order to log in each time. That pretty much makes stealing the password pointless if they don't have the unique keyfob tied to the account since each one of those is different.
Adding password complexity and expiration to the password would only further enhance the security to make it even tougher.
Camelonian, Thanks for your comment. I am aware of 2FA and also MFA. The market is glutted with such products most of which is proprietary. Even OTP has been proven to be Hackable. That is a separate discussion that I do not want to go into here.
You have not got my point though about password less authentication and which is what I am focusing on my comment.
Password less authentication involves doing away with the user having to define a complex password, remember it and then store it. And then have a service that can reset that password which is actually a backdoor. I worked for a security company that offered 4096 bit encryption of data and then found out that all I need to do to hack their accounts is replace the email address of the user in a table (stored in plain text) with my own and then reset the password.
So when I say doing away with password it means literally that. No password to be defined, entered or remembered or STORED on the server for hackers to hack.
There are many ways of achieving this. The one I propose is using a user owned device that generates a security token in real time (not stored on the device or the server) and then using that as the means to authenticate the user. So all I need to do is insert my USB Drive, enter my username (which would not be abc123 obviously) and then login to my account.
It is so simple. No need for 2FA or MFA here.
There is another solution that a company has developed whom I work with. Here the user enters username, on the web page, calls a service number (can set it to speed dial) and punches in a T-Pin (as in ATM machine) and then the user is authenticated and able to access their account. This is 2FA and Multi Channel authentication. But see this solution is dependent on the telephony service to authenticate your T-Pin and identity.
In case of my password-less solution using device as the password, there is no dependence on a service except for the web account one is accessing. So it is much simpler. The fact that one uses a mystery non-proprietary device that is empty and does not store any key or code or software makes a hackers life hell figuring out what to hack. As also if the server is hacked, the hackers will find there is no field in the database called "Password" that they plan to decrypt. :–) How does this sound? Won couple of awards including one from Lockheed Martin (demo to LM CTO) but unfortunately no one wants a secure solution. Companies and agencies want something that has a backdoor to get in.