Have you been locked out of an account due to entering the wrong password too many times? That was rhetorical; unless your password is “password” (and it better not be) everyone has managed to lock themselves out. Even someone using “password” can manage it if they don’t realize Caps Lock is on. But here’s the real question – why don’t hackers get locked out when attempting to get into their victim’s accounts?
If you’ve been watching USA’s new serious Mr. Robot you might be under the belief that, like Elliott, hackers research you and then using a well thought out plan they try passwords that include information about your birth date, family, pets, sports teams, nicknames, address/phone numbers, etc until they find the magic combination to your password. That scenario doesn’t hold water when you look at the facts of an account lockout – it doesn’t matter if it’s you or a hacker if the lockout says 5 tries and you’re locked out, that’s what’s going to happen. Even the few variables listed above amount to thousands of options.
So how do hackers do it?
One way is to get your system infected with spyware that steals your usernames and passwords and send them back to the hacker. Typically the person stealing the passwords will not be the person using them, although in Orange County California in 2008 a student used spyware to steal administration usernames and passwords in order to change his grades. More often the person stealing them plans on selling your usernames and passwords to others for use later. In this case the hacker is dependent on people to get infected with their spyware hence the number of usernames and passwords they acquire can be hit or miss, less passwords equates to a smaller payday. To assure themselves of a larger number of passwords to sell they employ the next method.
The second mothed is what is called an offline attack. You have an online account, your account information along with thousands of others is stored on that company’s server; that company is taking proper security measures and all the stored account information is encrypted. Along comes a hacker who steals that encrypted file. Once the hacker has the encrypted file he begins using a variety of tools against the encryption. This process has absolutely nothing to do with a trial and error process of figuring out your password. The hacker patiently waits as his tools work away on those passwords until they are revealed. The longer it takes for the original company to discover the breach, then the theft of the file, followed by the disclosure to their users, the longer the file has value. From there the hacker will work to sell his ill-gotten information and move on to the next breach.
So there it is in a nutshell and once again TV and movies have steered you wrong when it comes to the real life of a hacker. But how fun would it be if they showed the reality of a hacker who starts his computer working against the encrypted file then walks away for a while – not exactly must see TV.