I keep seeing tables of how easy it is to brute force a password depending on length and complexity, but how does the brute force attack get past the account lockout feature?


Every system I’ve ever maintained has an account lockout after a few attempts.

In: 2

Brute force password hacks are usually piggybacking off of a database hack. Somehow, the database of password hashes got leaked, and is now available to run on another machine. That other machine has no account lock timers on it, so you can try as many passwords as you want. Either that, or there is some vulnerability that prevents the locks from happening, like the one on iPhone 5 and earlier.

It can’t. If the system enforces a limit on the number of attempts per X time period, then a brute force attack cannot be used.

Usually, brute force attacks are used in cases where you are able to obtain the encrypted/hashed database of passwords. Then you are not interfacing with the system, you have direct access to the database which bypasses the lockout feature.

People generally don’t try to get into your account directly. What will happen is that there’s a leak of user data and hashed (sort of like encrypted) passwords, and bad actors will then take this list of passwords, and try to brute force the list, and only once they’ve actually discovered a password in the list, would they then take that password to log in into your account

Unless your password is something really common like “password1”, or just your username, or something very easily guessable like that, you’re generally safe from someone just sitting down and logging into your account casually.

So for any good website with even the faintest concept of security, your password is not stored. When you ask to reset your password, the reason why they can’t just send you their password is because they don’t know it. (Incidentally, if they DO send you your password, that means they clearly don’t care about security.) When you enter your password, it’s run through a complicated algorithm to encrypt it which, in theory, should be uncrackable without knowing the exact way it was encrypted.

Brute force attacks basically occur when they’ve gotten a list of encrypted passwords from a website (which happens more often than the companies would like you to think). They can then use their own computer to brute force this stuff until they start to produce things which feasibly look like passwords. Once they have those, they can try them, and boom, they’re in.

This, incidentally, is why you should have unique passwords for every site. Data breaches happen a lot, and if they’ve found one email and password combo which works on Facebook, they’re gonna try it on other sites too.

pure brute force attacks arent really a thing anymore,mostly because of time and said systems.

instead you have avariatino of it by acquiring the database of the target you can attempts to brute force the passwords listed there. this bypasses lockout features because you are not interacting with the login systme directly anymore.

instead of trying every single character combination, you limit your search to every single known word aka: a dictionary attack.