Alan Silverman
asked on
Why can hackers put in infinite id/password combinations
Here's something I've wondered about for a while. If I try to log into my email a certain number of times with the wrong password I'm locked out, at least until the next reboot. How come hackers can keep on trying different combinations without likewise being stopped?
Thanks,
Al
Thanks,
Al
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Different doors - sometimes. It's hardly possible without having a logon to the server that holds the hashes unless there are severe holes not being patched.
The Icloud thing - who knows. Normally password guessing is useless. Maybe they infected the celebrities' computers first.
The Icloud thing - who knows. Normally password guessing is useless. Maybe they infected the celebrities' computers first.
ASKER
Thanks,
Al
Al
for icloud, they found an interface that allowed infinite retries (that happens more often than you would expect)
for other site-based brute force attempts, usually the attempts are limited based on tries per account, rather than per source IP - so the attackers pick one password, and try every account combination with that password. they then try another password, and after 'n' passwords have been tried and they get a locked notification, try another site for a while. usually locked passwords unlock after a certain length of time (and/or they have just done a very effective denial of service attack against that provider :)
for other site-based brute force attempts, usually the attempts are limited based on tries per account, rather than per source IP - so the attackers pick one password, and try every account combination with that password. they then try another password, and after 'n' passwords have been tried and they get a locked notification, try another site for a while. usually locked passwords unlock after a certain length of time (and/or they have just done a very effective denial of service attack against that provider :)
Al, don't close questions too soon. There might come in more interesting information :)
ASKER
Dave, thanks for the info. McKnife, thank you also. If you can reopen the question please do and I'll leave it open a few days. If not, I'll remember in the future.
Thanks,
Al
Thanks,
Al
ASKER
Addendum to Dave's comment: So in some ways iCloud was responsible. I actually took a course on the ins and outs of Internet protocols and security. That was decades ago, when I was at IBM. It just seems that there should be some ways to close many of the holes to hackers.
Closing the question only matters if we were only doing this for the points - myself and McKnife usually have enough points in the first few days of the month to keep our free access, and after that it's just for fun or a way to keep score :)
email is often the worst offender for infinite retries; often imap servers don't even have a session limit (so you can keep submitting xxx LOGIN (or possibly xxx AUTHENTICATE) lines in a single, unencrypted session) and very rarely if ever have a password lockout.
email is often the worst offender for infinite retries; often imap servers don't even have a session limit (so you can keep submitting xxx LOGIN (or possibly xxx AUTHENTICATE) lines in a single, unencrypted session) and very rarely if ever have a password lockout.
ASKER