Q: If I get locked out of my account when I type three wrong passwords, how are hackers able to use guessing to break in?
A: Hackers and security experts are in a constant chess match that never ends. Each move by one party causes the other party to take a new approach.
A couple of commonly used approaches by hackers to break passwords are often referred to as dictionary and/or brute force attacks.
They鈥檙e essentially computer programs that can generate millions, if not hundreds of millions, of guesses per second.
The notion that hackers sit at a computer using the same login screens we all use to try to access our accounts is the first myth聽we need to correct.
Often times, they are using an 鈥渙ffline鈥 attack, combined with automation and breached data, to break passwords on specific sites.
Since the attack is offline, meaning they have acquired enough cryptographic information to attempt to break passwords, they aren鈥檛 subject to the password lockout protection.
It gets a bit complicated, but they can just set their computers to compare the specially encoded information against known passwords in what are called 鈥渞ainbow tables,鈥 which allow them to find matches.
The lack of understanding of how hackers actually 鈥渉ack鈥 passwords, and the false sense of security caused by account lockout mechanisms, lead to complacency among聽many users.
According to the , 895,605,985 records have been breached from 4,746 data breaches since 2005.听Keep in mind, those are聽only the data breaches that have been made public.
Every data breach that exposes user passwords allows the hacking community to continue to compile huge rainbow tables, so even if you haven鈥檛 used a password before, if it鈥檚 too common, you鈥檙e an easy target.
If the general non-hacking public can get its hands on the top 10,000 most commonly used passwords in 30 seconds on Google, how many passwords do you think professional cyberthieves have compiled?
This is why using the same password for multiple online accounts can easily make you a victim, especially at sites that use your email address as your username.
Complex eight-character passwords are nearly useless in today鈥檚 environment; creating long pass-phrases instead is a better way to reduce your chances of being victimized by powerful hackers.
For example, 鈥淚 Hate Passw0rds!鈥 is much more secure than A8y@q7P1 and much easier to remember.
The longer the password, the less likely it can be broken via the high-speed guessing game, so shoot for at least 15 characters.
You should also assume that your passwords will be compromised by a data breach at some point, so activating 聽on your accounts will help keep the bad guys out, even if they do get your passwords!
Editor’s note: Ken Colburn is founder and CEO of .听
