Solved

Why can hackers put in infinite id/password combinations

Posted on 2014-10-17
10
240 Views
Last Modified: 2014-10-17
Here's something I've wondered about for a while.  If I try to log into my email a certain number of times with the wrong password I'm locked out, at least until the next reboot.  How come hackers can keep on trying different combinations without likewise being stopped?
Thanks,
Al
0
Comment
Question by:alanlsilverman
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 300 total points
ID: 40386298
They can't.
Hackers usually try to get their hands on hashed passwords (do you know what that is?) and then take those and brute force them.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40386303
Also they would use botnet for bruteforcing passwords, so if the webmail locks out subnet you are at home they will try other zombie sources.
Hashed passwords sure leaves less trails
0
 

Author Comment

by:alanlsilverman
ID: 40386317
I know about hashing (I have a degree in computer science).  Basically you're saying that hackers can get access to another level of the software, a different door than the average user.  I've been asked this by my customers in reference to the iCloud hacking of various movie stars.  My assumption was that they just didn't have adequately complex passwords.  I make sure that my clients do.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40386327
Different doors - sometimes. It's hardly possible without having a logon to the server that holds the hashes unless there are severe holes not being patched.
The Icloud thing - who knows. Normally password guessing is useless. Maybe they infected the celebrities' computers first.
0
 

Author Comment

by:alanlsilverman
ID: 40386333
Thanks,
Al
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 33

Expert Comment

by:Dave Howe
ID: 40386383
for icloud, they found an interface that allowed infinite retries (that happens more often than you would expect)

for other site-based brute force attempts, usually the attempts are limited based on tries per account, rather than per source IP - so the attackers pick one password, and try every account combination with that password. they then try another password, and after 'n' passwords have been tried and they get a locked notification, try another site for a while. usually locked passwords unlock after a certain length of time (and/or they have just done a very effective denial of service attack against that provider :)
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40386409
Al, don't close questions too soon. There might come in more interesting information :)
0
 

Author Comment

by:alanlsilverman
ID: 40386428
Dave, thanks for the info.  McKnife, thank you also.  If you can reopen the question please do and I'll leave it open a few days. If not, I'll remember in the future.
Thanks,
Al
0
 

Author Comment

by:alanlsilverman
ID: 40386432
Addendum to Dave's comment:  So in some ways iCloud was responsible.  I actually took a course on the ins and outs of Internet protocols and security.  That was decades ago, when I was at IBM.  It just seems that there should be some ways to close many of the holes to hackers.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40386490
Closing the question only matters if we were only doing this for the points - myself and McKnife usually have enough points in the first few days of the month to keep our free access, and after that it's just for fun or a way to keep score :)

email is often the worst offender for infinite retries; often imap servers don't even have a session limit (so you can keep submitting xxx LOGIN (or possibly xxx AUTHENTICATE) lines in a single, unencrypted session) and very rarely if ever have a password lockout.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now