Solved

Why can hackers put in infinite id/password combinations

Posted on 2014-10-17
10
246 Views
Last Modified: 2014-10-17
Here's something I've wondered about for a while.  If I try to log into my email a certain number of times with the wrong password I'm locked out, at least until the next reboot.  How come hackers can keep on trying different combinations without likewise being stopped?
Thanks,
Al
0
Comment
Question by:alanlsilverman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 54

Accepted Solution

by:
McKnife earned 300 total points
ID: 40386298
They can't.
Hackers usually try to get their hands on hashed passwords (do you know what that is?) and then take those and brute force them.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40386303
Also they would use botnet for bruteforcing passwords, so if the webmail locks out subnet you are at home they will try other zombie sources.
Hashed passwords sure leaves less trails
0
 

Author Comment

by:alanlsilverman
ID: 40386317
I know about hashing (I have a degree in computer science).  Basically you're saying that hackers can get access to another level of the software, a different door than the average user.  I've been asked this by my customers in reference to the iCloud hacking of various movie stars.  My assumption was that they just didn't have adequately complex passwords.  I make sure that my clients do.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 54

Expert Comment

by:McKnife
ID: 40386327
Different doors - sometimes. It's hardly possible without having a logon to the server that holds the hashes unless there are severe holes not being patched.
The Icloud thing - who knows. Normally password guessing is useless. Maybe they infected the celebrities' computers first.
0
 

Author Comment

by:alanlsilverman
ID: 40386333
Thanks,
Al
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40386383
for icloud, they found an interface that allowed infinite retries (that happens more often than you would expect)

for other site-based brute force attempts, usually the attempts are limited based on tries per account, rather than per source IP - so the attackers pick one password, and try every account combination with that password. they then try another password, and after 'n' passwords have been tried and they get a locked notification, try another site for a while. usually locked passwords unlock after a certain length of time (and/or they have just done a very effective denial of service attack against that provider :)
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40386409
Al, don't close questions too soon. There might come in more interesting information :)
0
 

Author Comment

by:alanlsilverman
ID: 40386428
Dave, thanks for the info.  McKnife, thank you also.  If you can reopen the question please do and I'll leave it open a few days. If not, I'll remember in the future.
Thanks,
Al
0
 

Author Comment

by:alanlsilverman
ID: 40386432
Addendum to Dave's comment:  So in some ways iCloud was responsible.  I actually took a course on the ins and outs of Internet protocols and security.  That was decades ago, when I was at IBM.  It just seems that there should be some ways to close many of the holes to hackers.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40386490
Closing the question only matters if we were only doing this for the points - myself and McKnife usually have enough points in the first few days of the month to keep our free access, and after that it's just for fun or a way to keep score :)

email is often the worst offender for infinite retries; often imap servers don't even have a session limit (so you can keep submitting xxx LOGIN (or possibly xxx AUTHENTICATE) lines in a single, unencrypted session) and very rarely if ever have a password lockout.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Robocopy Script As Scheduled Task Without Admin Permissions 4 55
harden EXCH2013 7 57
Personal Secured Home Networking 2 48
Rogue RDP Connections 5 60
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question