ElI5: How do hackers use brute force attacks like dictionary attacks if I get locked out of my account after 3 failed attempts?
In: Technology
For the second part. Not all websites have a 3 attempt limit. Either it’s more or unlimited. I’ve failed like 10 times and no problem arose. And they would only brute force websites like that. They might also be able to hide the attempts In order to bypass the attempt limit.
They can use proxies to make the entries appear from a completely different system, or sometimes abuse different login methods to that website. For example, awhile back, while Twitter itself DID lock you after multiple failed attempts, you could attempt to login via TweetDeck or Mobile Web Twitter an unlimited amount of times.
Those systems have been put into place to prevent brute force attacks, they aren’t everywhere.
Also, websites frequently store passwords, etc, in an encrypted database. This is supposed to stay private to their servers, but sometimes those databases get stolen. Once the database is stolen, it is just a file — the hackers have a copy on *their* computer, so they don’t put any rate-limits into *their* software, which they use to attack the database. This is where they can really go crazy with the brute-forcing.
They use botnets that distribute the attacks from dozens of source IPs and attack multiple targets simultaneously in attempt to get a successful login.
The bots then attempt random login attempts using different username and password combinations. Hackers know full well that 3-5 attempts will likely lock out an account and that would possibly alert an admin that something is going on, so they program the bots not to try the same user account 3 times in a given period.
Between thousands of different usernames, and thousands of different passwords, against thousands of potential targets, sooner or later they’ll get a successful login.
Also it’s a little known fact that the ‘Administrator’ account in Active Directory can’t be locked out, so they brute force that account non-stop.
Usually they do this either on systems that don’t have such lockouts (to prevent just those kinds of attacks) or they steal an encrypted database and can try those attacks on them at their own leasure.