I keep seeing tables of how easy it is to brute force a password depending on length and complexity, but how does the brute force attack get past the account lockout feature?

657 views

Every system I’ve ever maintained has an account lockout after a few attempts.

In: 2

18 Answers

Anonymous 0 Comments

Not every system has an account lockout, and not every attacker is coming through the front door.

Sometimes the attacker has stolen a database full of hashed passwords. Since that means they now have a “backdoor” and can access the data without using the main service (the front door), they can write a tool to make attempts at finding a match for the password data in the database *without* a lockout or the relative slowness of accessing the internet.

This is also dangerous because once they steal that database the data never goes away, so even if it takes them months to crack some of the passwords, they might have nothing better to do than let their tool attack it until it finds something.

You are viewing 1 out of 18 answers, click here to view all answers.