The idea of a lockout only works of you’re trying to brute force the password through some system that you can be locked out of (like a login prompt on a website). In reality password brute forcing happens when somebody has a copy of the password hash.

This makes a lot more sense of you know what a password hash is and why they’re used. A “hash” in this context is a one way function that takes an input and outputs a fixed sized output (the output size is always the same, no matter the size of the input). The function being “one way” means that there is no good way to take an output and find out what the input was. The best you can do is try different inputs and see if the output matches. When you set a password on a website the backend database doesn’t (or at least shouldn’t) store your actual password, instead they hash your password and store that, the “password hash.” When you attempt to log in they hash the password that you typed in and then see if it matches the stored password hash. This way they can check if you typed in the right password but they don’t store anybody’s actual password. This means that people with access to the db (developers, administrators, etc) can’t look at people’s passwords and they can’t accidently leak passwords. But what they can do is leak the password hashes. The password hashes aren’t useful themselves (i.e. you can’t log in with the hash itself), but what they can do is hash a whole bunch of common passwords and see if any of the hashes match. This is what hackers are doing when they’re “brute forcing” the passwords.

This is also why it’s important to not use a common password. When hackers brute force passwords they have to feed potential passwords into the hash function and if they match the password hash, so naturally they start with the most common passwords.

hackers steal the password hashed, then try out all the combinations on their own computer to decrypt it. then they enter the decrypted password.

how long will that take, 10 minutes, a year or practically forever depends on your selection of the password.

Hackers don’t brute force passwords by trying to login to the service over and over again. Instead, what they do is brute force password *hashes*. These hashes can be acquired from database dumps of very large sites. Even if those accounts are for a forum and contain no sensitive data, they can still be useful. The hacker will take a giant list of password hashes and then use a program like John The Ripper along with their GPU to crack the passwords ie turn the hashed passwords back into plain text. The hacker will then take those passwords and emails and check other services to see if you’ve reused the same password for other services that do contain sensitive information like bank credentials.

Also, there are attacks that hit login services but that isn’t brute force. It’s what’s called “cred stuffing”. There are lots of discord forums and dark net sites that traffic in large lists of *already brute-forced or stolen credentials* as well as programs that allow you to use them. The programs will rotate through a giant list of proxies and attempt to login to different services using the list of credentials. The program will then mark the credentials as valid or invalid for each service. If you’ve ever seen people selling super cheap Netflix, OF, Disney Plus, or Spotify accounts this is how those accounts are acquired

As someone who deals with these kind of attacks regularly, there are a few ways around this.

The first thing most hackers do nowadays is to use combination-lists. There are lists on the net with literally billions of username/email/password combinations that got stolen in the past years, for example from the adobe and linkedin hacks. Those passwords were hashed, but a lot of hackers tried to crack those passwords and shared the results. All those results combined form a ‘combination-list’ (both because they contain email/password combinations and because it is a combination of several hacks and cracking done by other hackers).

Those lists usually only have a few passwords per email-address, so even if the account is locked after a few tries, they probably are in already or have moved on to the next combination.

Those hackers also hide their tracks quite well and use “residential proxies” very often, which means those tries do not come from a single address, but from thousands of addresses, i’ve seen up to 60k different addresses in a single attack. So if you block an address after 5 tries for an hour they still can try up to 7.2 million combinations in a day.

Brute-forcing a single account with random passwords is rarely done nowadays.

But what i see the most nowadays is hacked google accounts; when they get access to your google account they get access to the passwords stored by chrome there, and if those are used the hit-rate (number of successful logins vs failures) is enormous

They dont brute force on the site itself, instead they do it on hashed passwords that are leaked in data breaches. Basically whenever you hear in the news that so-and-so website had user data leaked, it means that encrypted versions of the passwords have been leaked. These are traded on the so called dark web and those who have the emcrypted passwords will try different combinations of characters until they find the actual passwords. Thats brute forcing basically

[removed]

You want to know someone’s password. They have it written down in a book in their house, but that book is encoded in some format that only the person knows. Trying to brute force the password online would be like going up to the person’s house and knocking on the door and asking them if their password is A. They say no and close the door, so you knock again and ask if it’s B. They say no again, and when you knock this time they just lock the door and don’t answer it anymore. So instead when it gets dark you break into their house and steal the password book. It’s still encoded, but it’s a lot easier for you to try and work on the scrambling this way.

A security expert explained to me the basic math. 1 million accounts, 3 passwords, and presto.

In addition to what has already been answered here regarding brute force attacks directly on the database, for example, it should be noted that the solution itself is a problem.

Enabling brute force protection is great for stopping a hacker who is attempting multiple passwords on a given account, but the downside is that the legitimate account owner will also end up being blocked.

If generic scripts regularly bombard your sites to detect accounts with weak passwords, resulting in frequent blocking of your users, you cannot keep this protection in place.

We can copy the system we’re trying to crack so that we can make as many attempts as we want regardless of lockout. For example, if I have your iPhone, with about an hour of “surgery” I can read the memory and onboard storage directly, and then it becomes trivial to clone your phone into a computer system that can create 10000 copies and brute force while reloading each phone that gets locked out.

Rule 0 is physical security. If I have physical access to your raw data, be it a copy of your hard drives, or your phone in my hand, you’re already screwed. No amount of security can stop me if I have the full data and system.

People like the FBI and CIA who have the budget to clone a criminal’s devices to 100k+ instances in a data center can just let it run for a week and decrypt. And yes, we can also spoof authentication servers and other checks your device might make to see if it’s “legit”. We can brain-in-a-jar your devices and they have no way of knowing.