30 comments on “Why the password hackers never trigger an account lockout”

  1. David Banes

    Don't forget that of course there are still people and systems out there that are trying to brute force passwords via the actual login page, and do eventually trigger the too many tries lockout. We see this many times a week on WordPress hosted sites for example.

    1. Graham CluleyGraham Cluley · in reply to David Banes

      Hi David (long time no hear!)

      Yes, you're right of course. On this site, for instance, I regularly see hundreds of attempts by hackers to brute force their way into my WordPress backend.

      Sometimes I almost feel sorry for them as many of the attempts are for usernames that don't exist, and perhaps they don't realise that I have additional protections in place behind the scenes anyway.

      I would recommend that those hosting their own WordPress site deploy a plugin which can block multiple failed login attempts, and also introduce a two-factor authentication layer to weed out any unauthorised users.

      1. Coyote · in reply to Graham Cluley

        "Sometimes I almost feel sorry for them as many of the attempts are for usernames that don't exist"

        I just laugh at the complete stupidity in it. Odds are the attempts (which they can't even get to because of ingress filtering of services that require authentication on my servers.. but I've seen it and other types of attacks, all of them useless) is a scanner trying to find exploits. But even then, they check for Windows exploits when even basic checks would reveal I don't use Windows (and then I also write about how I don't use Windows.. in fact, I I've made it public what I do use because I contribute some programs [for it]). Add that all up, and you can see it is almost always scanners.

        The only problem I have is it is a waste of resources. At least until they are added (automatically) to a blackhole route.

  2. Coyote

    "Even though the passwords may be hashed, there are tools that can find the equivalent numerical representation of that hash to reveal the password."

    Don't forget, either, that if the attacker knows how authentication works, they can exploit the hashes in such a way, that they can reveal the password (dictionary attacks for example) in time (and since so many use weak passwords, it is often a lot quicker than you'd like to believe). That is even if it is salted (proof: how does the system authenticate you?). Which is one of the reasons passwords from a dictionary or based on a dictionary word, is a bad idea.

    As for complexity:
    "about password complexity (using random characters in a password) "
    I realise that maybe you're simplifying the idea to the readers (in which case: ignore this because it is rather … complex), but complexity is more involved than simply including random characters (also randomness is a vastly misunderstood concept).

  3. David Wilson

    I have an account at PNC Bank and my password for online banking is 150CessnaPln.

  4. Mike Edwards

    Actually, one of the other major reasons is that they try ONE password over MANY accounts. So the account frozen mechanism is never triggered.

  5. FW Smith

    I have a password (generation) scheme that initially looks complex, but in fact is very simple.

    Think of your favorite song/movie/book/quote/whatever. Then think of your favorite line from same.

    For example, my favorite movie is Casablanca, and my favorite line from it is "Here's looking at you, kid".

    So, using that, my first character is a capital H. Then I count the number of letters that follow in the first word and add that. So we start with H4. Then I decide what to use for a space. Whatever the website allows is the usual. For the example, I will use hyphens. So now we have H4-. Then I continue the same way for the rest of the phrase and end up with H4-l6-a1-y2-k2 for the password. If your memory is good (mine is not), you can add the punctuation (if the website allows it).

    Then for the hint, all you need to use is the name of the movie/song/book/quote/whatever. As long as you aren't singing the same line over and over again, no one is likely to guess your password.

    I suggested this same scheme on a non-technical site and the usual "qwerty12345" types were whining about how difficult it was to use it.

    I only ask that if you somehow derive profit from my suggestion that I get some of it. I'm an old retired/disabled vet that could use the money.

    NOTE: If your "pass phrase" has a single letter, use it and follow it with a zero.

    1. Bicycle Bill · in reply to FW Smith

      FW, I came up with a similar idea several years ago, using letters and numbers.  For example, take the classic typing phrase "now is the time for all good men to come to the aid of their party".  Using just the first letter of each word — and substituting a numeral for any word that sounds like a number — you get "nitT4agM2c2taotP" (and I borrowed the idea of using a capital letter for nouns like "time", "men", and "party" from the German language).  Great minds think alike, eh?

  6. Goliath

    What is the ONLY reason to change your password? To keep hackers from guesing your password? No, to keep your password DIFFERENT from the one hackers STOLE from the company asking for the password.

    1. Eli · in reply to Goliath
    2. Techno · in reply to Goliath

      The trouble is that forcing users to change passwords regularly encourages them to use sinmpler passwords so it can be counter-productive:


      1. Coyote · in reply to Techno

        This is true but you don't even need to ask Schneier. All you need is to understand how humans think and act, and know that humans will do almost anything to save time and effort. When you think in those terms, if you have to change regularly, you'll have a way (or ways) to simplify the process. That includes writing passwords down (they might do that anyway but the more they have to remember the more likely they will do something like this). It also includes simpler passwords. I imagine there are many more ways than one would like to believe.

        But I think the point was that if a host is compromised, you should make sure your password is now changed. This is assuming that the host isn't still compromised. Yes, that is rather obvious. Maybe I'm wrong though; maybe he(?) does mean regularly, in which case, you're right – it is an outdated policy (and even back then it had serious risks).

  7. joe

    The brute force issue has been around since a good while. What the reasoning for not limiting brute force attempts?

  8. James McClure

    This article is describing the classic "dictionary attack" method which works on encrypted password files on older Unix systems. This used to be a very popular attack and was used successfully a number of times in very high profile cases, but that was many many years ago, when you could access that file readily because people didn't know that it could be cracked. Hosting centers and server administrators these days are wise to that method, and you can no longer easily get access to the host's password file like you could in the good old days. So that really is not a very common method for hackers to gain access to your account any more. These days the primary tools are social media sties, where people post all kinds of personal information that is likely to be useful to a hacker in answering "security questions" on a given site to recover a users password. Things like your birthday, mother's maiden name, what schools you went to, etc. Many people use these things as their answers to the site's security questions, making it very easy for a hacker to steal your password.

    1. Coyote · in reply to James McClure

      Not really true that it isn't readily used still. Yes, many systems are configured differently, so that the hashes aren't world-readable but that isn't to say that all are (people still run Windows 9x, Windows 2000, XP, etc. for example even though they shouldn't) or there aren't any ways around it. And one would go after what is easiest to exploit and also most likely to succeed undetected. And this has been done many times in recent years; the hashes are stolen and they are revealed through offline attacks.

      You'd be surprised what many systems allow to this day. A slightly related issue: people still – even after so many years (and it was never a good thing to do) of people repeatedly warning just how bad this is – stay logged in as root in case they need it (and/or out of laziness and who knows what else). Consider that if you are naive enough to log in as root for general use, if you run into an exploit (of some kind) that attempts to read otherwise read protected access, the abuser now has access to what the user has access to.

      AND since some services run as root, you must think of what those process(es) have access to, as well.

      Of course, there are other risks besides security for general use under root, but that is besides the point.

  9. PaulB

    If the hacker can use all those sophisticated tools to figure out my password, does it really matter if my password was Fluffy2012 or RT$#q7s!@v&G8$??

    1. Graham CluleyGraham Cluley · in reply to PaulB

      It's perhaps more likely that the bad guys already know the hash for Fluffy2012 than RT$#q7s!@v&G8$ – or at least their cracking software will.

      Even if the bad guys start at the beginning and with brute force work their way up through all the possible 14-character combinations, they're going to find it much quicker cracking poor old Fluffy.

  10. Doh!

    If password files are stolen and the password hash decoded offline then why does it matter how good or random the password was?

    1. Graham CluleyGraham Cluley · in reply to Doh!

      Hashes are one way.

      You can convert a password into a hash. You can't convert a hash into a password.

      What you *can* do is take a gazillion possible passwords and create a hash for each of them. And then do a look up to see if the hash you find in the password file matches one of those gazillion. If it does, you know what the password was.

      So, having a complex, long password makes it less likely that the bad guys will have pre-generated a hash for it. Things get tougher for the bad guys still if the site was salting the passwords before hashing them – and if that salt was variable.

      It doesn't necessarily make it impossible to crack the password in those situations, but it certainly makes it more time consuming.

  11. drsolly

    I think that the biggest problem is password reuse.

    1) Set up an enticing free site that requires you to choose a username and password
    2) Collect thousands of username/password pairs; many of those will be used on sites that bad guys might be interested in.
    3) Sell them to people who want to be hackers.

    1. Graham CluleyGraham Cluley · in reply to drsolly

      Yes, I agree.

      Password reuse is a much bigger problem than dumb, easy-to-guess passwords.

      If a hacker steals usernames (often your email address) and passwords from a website, then the first thing they're likely to do is see if those same credentials unlock other accounts online.

      If you don’t have the nous to steal a password database from a website, just create your own website and invite people to sign up for it. D’oh!

      Stop using the same password in multiple places folks!

  12. nothing

    How hackers avoid lockouts
    They script their password cracking program to try the most amount of password guesses before being locked out let say 4 times then they try another username try out 4 guesses and on to the next .They soon come back to the first username avoiding the time threshold of trying failed attempts and try the next set of 4 passwords in their list.

    1. Coyote · in reply to nothing

      And that means little if they return the same day (or whatever period of time the system considers).

      But this article is about offline attacks where they try many, many passwords (e.g. dictionary attack) on hashes, where they don't try to log in to the system but instead figure out what the credentials are. That way, when they do log in, they don't have many obstacles to worry about (if any). They might have multiple accounts and passwords, even. That is most likely the case.

    2. Moose · in reply to nothing

      Super computers have been known to be able to guess into the millions (possibly billions) of passwords a second.

      Your average home cracker is probably closer to the thousands of guesses per second. That being said, unless you're trying to hack some 5 year old's Minecraft account then no, crackers do offline attacks only.

  13. chrispov

    There's an excellent illustration of true password security from the webcomic 'xkcd', and I'll sum it up briefly- the strength of a password isn't determined by greater variation of each digit, but rather the length of the password. A short, complicated case sensitive password (rU5tY8iK*s) that includes capitals, lower-case, numerals and symbols will be very hard to remember, whereas as a long password that's not case-sensitive and made up of several common words (correcthorsebatterystaple) will not only be monumentally more secure, but also so easy to remember you'll never have to write it down. It's really surprising how little any actual math is used in solving this problem.

  14. Cryptoguru

    Password Less authentication is the way to defeat hackers. Imagine someone stealing server data only to find there is no field called password. just the username which is encrypted using a real time generated password which in turn is generated only from a registered device.

    This was suggested by me way back in 2009 but no one cared to have a look at the tech. Well I am happy the market is suffering at the hands of the hackers as I got financially ruined taking this technology to the market with no buyers.

    1. Coyote · in reply to Cryptoguru

      You're neglecting 2FA which is a fairly old concept. What if that device is stolen? What if it is an attacker with access to the device? Then what? Might as well not bother with authentication at all. Removing the password is weakening security because it is removing a layer.

      1. Cryptoguru · in reply to Coyote

        2FA is basically supplementing username/password with another step. It does not do away with the password. A hacker who has complete control over your computer and device is as good as being you. The idea of device authentication is not so much as making a hack proof solution but making life of hackers miserable. As they now need to also need to know which device the user uses. The 2FA such as ones from RSA that were hacked were proprietary devices that hackers could purchase and dissect. These solutions also stored some form of data on the device to identify the user. Reason why they failed.

        However if a user uses their own mystery device such as their USB Pendrive (of any make standard or non standard) or even their Mobile Memory Card (which is as good as a USB drive) or a USB blue tooth dongle. Or even a USB keyboard/Mouse.

        Hackers will have a tough time knowing which is the device the user is using to authenticate as their password. Besides once the account is access, the user can remove the device from the system.

        Only situation where someone can access the account is when a person is too forgetful and dumb. That person does not lock his computer desktop when moving away from the system and also leaves the authenticating device on the desk.

        Besides this solution cannot be used by hackers to undertake a mass hacking as is being currently done. Another advantage of this solution is if one looses their authenticating device (which is their password) they can know it on time and call a service number and have it locked and register a new device. However, when a password is stolen one does not know about it unless the account is hacked.

        At the backend, there need not be a password field in the database. So there is nothing to hack actually. This solution is deployed by me on my websites invisocial and managemypass.

  15. Camelonian

    Cryptoguru, I had a hard time telling if you were being sarcastic or not, but I think they already have that technology available and in place with two step authentication via keyfob. Log in with your username, password, and randomly generated one time passphrase or number sequence in order to log in each time. That pretty much makes stealing the password pointless if they don't have the unique keyfob tied to the account since each one of those is different.

    Adding password complexity and expiration to the password would only further enhance the security to make it even tougher.

    1. cryptoguru · in reply to Camelonian

      Camelonian, Thanks for your comment. I am aware of 2FA and also MFA. The market is glutted with such products most of which is proprietary. Even OTP has been proven to be Hackable. That is a separate discussion that I do not want to go into here.

      You have not got my point though about password less authentication and which is what I am focusing on my comment.

      Password less authentication involves doing away with the user having to define a complex password, remember it and then store it. And then have a service that can reset that password which is actually a backdoor. I worked for a security company that offered 4096 bit encryption of data and then found out that all I need to do to hack their accounts is replace the email address of the user in a table (stored in plain text) with my own and then reset the password.

      So when I say doing away with password it means literally that. No password to be defined, entered or remembered or STORED on the server for hackers to hack.

      There are many ways of achieving this. The one I propose is using a user owned device that generates a security token in real time (not stored on the device or the server) and then using that as the means to authenticate the user. So all I need to do is insert my USB Drive, enter my username (which would not be abc123 obviously) and then login to my account.

      It is so simple. No need for 2FA or MFA here.

      There is another solution that a company has developed whom I work with. Here the user enters username, on the web page, calls a service number (can set it to speed dial) and punches in a T-Pin (as in ATM machine) and then the user is authenticated and able to access their account. This is 2FA and Multi Channel authentication. But see this solution is dependent on the telephony service to authenticate your T-Pin and identity.

      In case of my password-less solution using device as the password, there is no dependence on a service except for the web account one is accessing. So it is much simpler. The fact that one uses a mystery non-proprietary device that is empty and does not store any key or code or software makes a hackers life hell figuring out what to hack. As also if the server is hacked, the hackers will find there is no field in the database called "Password" that they plan to decrypt. :–) How does this sound? Won couple of awards including one from Lockheed Martin (demo to LM CTO) but unfortunately no one wants a secure solution. Companies and agencies want something that has a backdoor to get in.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.