Q: If I get locked out of my account when I type three wrong passwords, how are hackers able to use guessing to break in?
Hackers and security experts are in a constant chess match that never ends: Each move by one party causes the other party to take a new approach.
A couple of commonly-used approaches by hackers to break passwords are often referred to as dictionary and/or brute force attacks. They’re essentially computer programs that can generate millions, if not hundreds of millions of guesses per second.
The notion that hackers sit at a computer using the same login screens we all use to try to access our accounts is the first one we need to correct.
Often times, they are using an offline attack combined with automation and breached data to break passwords on specific sites. Since the attack is offline — meaning they have acquired enough cryptographic information to attempt to break passwords — they aren’t subject to the password lockout protection.
It gets a bit complicated, but they can just set their computers to compare the specially-encoded information against known passwords in what are called “rainbow tables,” which allows them to find matches.
The lack of understanding of how hackers actually hack passwords and the false sense of security caused by account lockout mechanisms leads to complacency by so many users.
According to the Privacy Rights Clearinghouse, there have been 895,605,985 records breached from 4,746 data breaches since 2005. Keep in mind, this number only represents the data breaches that have been made public.
Every data breach that exposes user passwords allows the hacking community to continue to compile huge rainbow tables, so even if you haven’t used a password before, if it’s too common, you’re an easy target.
If the general non-hacking public can get its hands on the top 10,000 most commonly used passwords in 30 seconds on Google, how many passwords do you think professional cyber-thieves have compiled?
This is why using the same password for multiple online accounts can easily make you a victim, especially at sites that use your e-mail address as your username.
Complex eight-character passwords are nearly useless in today’s environment. Creating long pass phrases instead is a better way to reduce your chances of being victimized by the powerful hacker guessing game.
For example, “I Hate Passw0rds!” is much more secure than A8y@q7P1 and much easier to remember.
The longer the password, the less likely it can be broken via the high-speed guessing game, so shoot for at least 15 characters.
You should also assume that your passwords will be compromised by a data breach at some point, so activating two-factor authentication on your accounts will help keep the bad guys out, even if they do get your passwords!