Solved

Why can hackers put in infinite id/password combinations

Posted on 2014-10-17
10
248 Views
Last Modified: 2014-10-17
Here's something I've wondered about for a while.  If I try to log into my email a certain number of times with the wrong password I'm locked out, at least until the next reboot.  How come hackers can keep on trying different combinations without likewise being stopped?
Thanks,
Al
0
Comment
Question by:alanlsilverman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 55

Accepted Solution

by:
McKnife earned 300 total points
ID: 40386298
They can't.
Hackers usually try to get their hands on hashed passwords (do you know what that is?) and then take those and brute force them.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40386303
Also they would use botnet for bruteforcing passwords, so if the webmail locks out subnet you are at home they will try other zombie sources.
Hashed passwords sure leaves less trails
0
 

Author Comment

by:alanlsilverman
ID: 40386317
I know about hashing (I have a degree in computer science).  Basically you're saying that hackers can get access to another level of the software, a different door than the average user.  I've been asked this by my customers in reference to the iCloud hacking of various movie stars.  My assumption was that they just didn't have adequately complex passwords.  I make sure that my clients do.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 55

Expert Comment

by:McKnife
ID: 40386327
Different doors - sometimes. It's hardly possible without having a logon to the server that holds the hashes unless there are severe holes not being patched.
The Icloud thing - who knows. Normally password guessing is useless. Maybe they infected the celebrities' computers first.
0
 

Author Comment

by:alanlsilverman
ID: 40386333
Thanks,
Al
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40386383
for icloud, they found an interface that allowed infinite retries (that happens more often than you would expect)

for other site-based brute force attempts, usually the attempts are limited based on tries per account, rather than per source IP - so the attackers pick one password, and try every account combination with that password. they then try another password, and after 'n' passwords have been tried and they get a locked notification, try another site for a while. usually locked passwords unlock after a certain length of time (and/or they have just done a very effective denial of service attack against that provider :)
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40386409
Al, don't close questions too soon. There might come in more interesting information :)
0
 

Author Comment

by:alanlsilverman
ID: 40386428
Dave, thanks for the info.  McKnife, thank you also.  If you can reopen the question please do and I'll leave it open a few days. If not, I'll remember in the future.
Thanks,
Al
0
 

Author Comment

by:alanlsilverman
ID: 40386432
Addendum to Dave's comment:  So in some ways iCloud was responsible.  I actually took a course on the ins and outs of Internet protocols and security.  That was decades ago, when I was at IBM.  It just seems that there should be some ways to close many of the holes to hackers.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40386490
Closing the question only matters if we were only doing this for the points - myself and McKnife usually have enough points in the first few days of the month to keep our free access, and after that it's just for fun or a way to keep score :)

email is often the worst offender for infinite retries; often imap servers don't even have a session limit (so you can keep submitting xxx LOGIN (or possibly xxx AUTHENTICATE) lines in a single, unencrypted session) and very rarely if ever have a password lockout.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question