Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Why can hackers put in infinite id/password combinations

Posted on 2014-10-17
10
245 Views
Last Modified: 2014-10-17
Here's something I've wondered about for a while.  If I try to log into my email a certain number of times with the wrong password I'm locked out, at least until the next reboot.  How come hackers can keep on trying different combinations without likewise being stopped?
Thanks,
Al
0
Comment
Question by:alanlsilverman
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 54

Accepted Solution

by:
McKnife earned 300 total points
ID: 40386298
They can't.
Hackers usually try to get their hands on hashed passwords (do you know what that is?) and then take those and brute force them.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40386303
Also they would use botnet for bruteforcing passwords, so if the webmail locks out subnet you are at home they will try other zombie sources.
Hashed passwords sure leaves less trails
0
 

Author Comment

by:alanlsilverman
ID: 40386317
I know about hashing (I have a degree in computer science).  Basically you're saying that hackers can get access to another level of the software, a different door than the average user.  I've been asked this by my customers in reference to the iCloud hacking of various movie stars.  My assumption was that they just didn't have adequately complex passwords.  I make sure that my clients do.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 54

Expert Comment

by:McKnife
ID: 40386327
Different doors - sometimes. It's hardly possible without having a logon to the server that holds the hashes unless there are severe holes not being patched.
The Icloud thing - who knows. Normally password guessing is useless. Maybe they infected the celebrities' computers first.
0
 

Author Comment

by:alanlsilverman
ID: 40386333
Thanks,
Al
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40386383
for icloud, they found an interface that allowed infinite retries (that happens more often than you would expect)

for other site-based brute force attempts, usually the attempts are limited based on tries per account, rather than per source IP - so the attackers pick one password, and try every account combination with that password. they then try another password, and after 'n' passwords have been tried and they get a locked notification, try another site for a while. usually locked passwords unlock after a certain length of time (and/or they have just done a very effective denial of service attack against that provider :)
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40386409
Al, don't close questions too soon. There might come in more interesting information :)
0
 

Author Comment

by:alanlsilverman
ID: 40386428
Dave, thanks for the info.  McKnife, thank you also.  If you can reopen the question please do and I'll leave it open a few days. If not, I'll remember in the future.
Thanks,
Al
0
 

Author Comment

by:alanlsilverman
ID: 40386432
Addendum to Dave's comment:  So in some ways iCloud was responsible.  I actually took a course on the ins and outs of Internet protocols and security.  That was decades ago, when I was at IBM.  It just seems that there should be some ways to close many of the holes to hackers.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40386490
Closing the question only matters if we were only doing this for the points - myself and McKnife usually have enough points in the first few days of the month to keep our free access, and after that it's just for fun or a way to keep score :)

email is often the worst offender for infinite retries; often imap servers don't even have a session limit (so you can keep submitting xxx LOGIN (or possibly xxx AUTHENTICATE) lines in a single, unencrypted session) and very rarely if ever have a password lockout.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
md5 password 3 75
reverse email lookup 8 66
Upgrade BIOS / EUFI at Scale 4 55
Suggestion for the first 90 days as sysadmin in new company ? 8 47
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question