Solved

Why can hackers put in infinite id/password combinations

Posted on 2014-10-17
10
243 Views
Last Modified: 2014-10-17
Here's something I've wondered about for a while.  If I try to log into my email a certain number of times with the wrong password I'm locked out, at least until the next reboot.  How come hackers can keep on trying different combinations without likewise being stopped?
Thanks,
Al
0
Comment
Question by:alanlsilverman
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 300 total points
ID: 40386298
They can't.
Hackers usually try to get their hands on hashed passwords (do you know what that is?) and then take those and brute force them.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40386303
Also they would use botnet for bruteforcing passwords, so if the webmail locks out subnet you are at home they will try other zombie sources.
Hashed passwords sure leaves less trails
0
 

Author Comment

by:alanlsilverman
ID: 40386317
I know about hashing (I have a degree in computer science).  Basically you're saying that hackers can get access to another level of the software, a different door than the average user.  I've been asked this by my customers in reference to the iCloud hacking of various movie stars.  My assumption was that they just didn't have adequately complex passwords.  I make sure that my clients do.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40386327
Different doors - sometimes. It's hardly possible without having a logon to the server that holds the hashes unless there are severe holes not being patched.
The Icloud thing - who knows. Normally password guessing is useless. Maybe they infected the celebrities' computers first.
0
 

Author Comment

by:alanlsilverman
ID: 40386333
Thanks,
Al
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 40386383
for icloud, they found an interface that allowed infinite retries (that happens more often than you would expect)

for other site-based brute force attempts, usually the attempts are limited based on tries per account, rather than per source IP - so the attackers pick one password, and try every account combination with that password. they then try another password, and after 'n' passwords have been tried and they get a locked notification, try another site for a while. usually locked passwords unlock after a certain length of time (and/or they have just done a very effective denial of service attack against that provider :)
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40386409
Al, don't close questions too soon. There might come in more interesting information :)
0
 

Author Comment

by:alanlsilverman
ID: 40386428
Dave, thanks for the info.  McKnife, thank you also.  If you can reopen the question please do and I'll leave it open a few days. If not, I'll remember in the future.
Thanks,
Al
0
 

Author Comment

by:alanlsilverman
ID: 40386432
Addendum to Dave's comment:  So in some ways iCloud was responsible.  I actually took a course on the ins and outs of Internet protocols and security.  That was decades ago, when I was at IBM.  It just seems that there should be some ways to close many of the holes to hackers.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40386490
Closing the question only matters if we were only doing this for the points - myself and McKnife usually have enough points in the first few days of the month to keep our free access, and after that it's just for fun or a way to keep score :)

email is often the worst offender for infinite retries; often imap servers don't even have a session limit (so you can keep submitting xxx LOGIN (or possibly xxx AUTHENTICATE) lines in a single, unencrypted session) and very rarely if ever have a password lockout.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now