Sometimes the hacker is not trying all password on only your account, but some passwords on all accounts.

Sometimes a hacker might leak a server’s entire database, or at least its users table. If the server is coded correctly, then the passwords in this table are not stored in plaintext. Instead they are hashed.

A hash function is something that turns your password into something else, but it’s one way – if you know something’s hash value, then there is no way to figure out what the original was, except for trying to guess what it was, running it through the hash function and checking if the values match.

If the database was leaked then the hacker has your password’s hash value, and they need to figure out the password. They can just try brute forcing, guessing every combinations of characters they can. If your password isn’t complex enough, then they might be able to guess it quickly.

TLDR: Hackers are actively stealing password databases to use in attacks. The simpler your password, the more likely it is to end up in the common databases.

The simplest way to guess passwords is to use a Brute Force Attack, you write a program that tries every single combination A, B, C, … , AA, AB, … etc

Lockouts slow down those types of attacks so much as to make them impractical.

Hackers today don’t use Brute Force attacks anymore because they aren’t efficient and too many defenses are in place. Instead they tend to rely on what are called Rainbow Tables.

A Rainbow Table is a pre-generated list of commonly used passwords. That narrows down the list from Billions of combinations down to just a few million.

They also use automated systems to perform the attacks, so called botnets. That allows the attacker to try thousands of username and password combination a minute against multiple systems simultaneously, and from different source IPs. When you attack thousands of systems simultaneously and use random combinations of known usernames + Rainbow Table Passwords sooner or later you’ll get a successful hit, it’s only a matter of time.

The catch with the Rainbow Tables is that they are generated by reverse engineering password databases stolen from big websites like Yahoo, and LinkedIn.

Passwords are stored in website using 1 way encryption called hashing. You can’t ‘decrypt’ a hash, you have to brute force it. You have to run combinations of possible passwords through the hashing algorithm and compare the output to the database to see if you get a successful hit. When you do you add that password to the Rainbow Table.

Hackers use Video card GPUs to Brute Force thousands of possible passwords against the hashing algorithm a second. This works when you have the database on your desktop, but it’s impractical to use such a technique against a website.

Basically the simpler your password, the more likely it will end up on a Rainbow Table. Even though hackers have had databases from Yahoo and LinkedIn for years now they still haven’t come close to trying every possible combination, so a lot of the most complex passwords in that database haven’t been cracked yet.

Meanwhile things like ‘password’ and ‘12345’ were cracked in the first 10 seconds.

Here’s something else to consider:

You’re only locked out if you’re trying your password on the live application, but there’s no concept of being “locked out” if someone manages to dump a copy of the database where your password resides.

If an attacker manages to do that, they can try as many times as they want, as fast as they want, to crack your password, and it’s under this circumstance that a cryptographically complex password will help save you.

Passwords don’t need to be complex just longer for effectiveness. I personally use patterns on a keyboard because that’s how my brain works but you can use sentences like Thats1sexymama or something and it’s every bit as secure as qwry78957rty11

It’s a way to prevent people from using the same dumb password (like “password1”) everywhere they go.

Every little thing helps.

* Having the account lock for an hour after so many attempts.
* Using long passwords.
* Using complex passwords.
* Changing your password every so often.
* Using a different (unique) password for every account you use.

None of these things will perfectly protect your account from all attacks, but each one will dramatically increase the difficulty of attacking your account, and will thus decrease the chances of your stuff getting hacked. So it’s best to do all of them.

Because IT people have scammed the rest of us into thinking we are the weak link in the security chain, when it is actually **their** failure to keep hackers from stealing massive password repositories and hacking them at their leisure, which is the real problem.

It’s the same concept of why cars don’t just have seatbelts. There’s also safety design features like crumple zones on the frame, front air bags, side air bags, etc. More safety is always a good thing.

It isn’t to protect against brute-forcing the login flow, it is to protect against someone stealing the password file and brute-forcing it offline.