How hackers get past password attempt limits, and what you can do to safeguard your computer


There are ways to protect your home computer against ‘brute force’ and ‘dictionary’ attacks. — Dreamstime/TNS

Q: Many password-protected websites give you a few chances to type in your password correctly, then lock you out if you type the wrong thing. You then must type in a code or answer a “secret question” to prove who you are.

So why do I see TV shows in which smart criminals use a computer to test, say, 10,000 passwords a minute until they get the right one to break into a website? Why aren’t the criminals locked out after a few wrong passwords? – Jerry Roventini, Lakeland, Florida

A: The TV shows are less far-fetched than you might think.

The scenario you’re describing is called a “brute force” attack. A computer connects to a web server and rapidly tries a long list of possible passwords until it hits the right one. A real brute force attack would require about two hours to crack an eight-character password composed of letters (upper and lower case), numbers and special characters (see tinyurl.com/4r2debx3).

How would the attackers avoid being locked out during those two hours? Sophisticated hackers could disable the server’s “intrusion detection system”, or its automatic “password attempt limit” (which normally locks a person out after a few wrong tries).

But because brute force attacks require some expertise, they’re less common than a simpler threat called a “dictionary attack”. The “dictionary” is a short list of common passwords that a computer can try in much less than two hours. These attacks succeed when people use simple passwords, such as “password” and “123456”, which take fractions of a second to crack.

While it’s hard to believe that people still use such vulnerable passwords, here’s an interesting fact: The 2019 attack on Texas IT company SolarWinds, a federal contractor, revealed that an employee used the password “solarwinds123” to access a server. A Congressional investigation criticised the use of such simple passwords, but the company determined the password was not the vehicle of the attack.

And, based on information from other data breaches, here’s a list of the most common passwords of 2020, how often they were hacked and how little time it took (see tinyurl.com/zu2ekpdt). The password list includes “abc123”, “111111” and “iloveyou”.

The best defense against brute force and dictionary attacks is to use a password that is a long combination of letters, numbers and symbols that would be meaningless to anyone but you. These so-called “non-predictable passwords” are far more difficult to hack.

Q: I keep getting a Windows 10 message that’s supposed to be from Microsoft – but I wonder if it’s a scam. It reads: “We need to fix your Microsoft account (most likely your password changed). Select here to fix it in shared experiences settings”. Are you familiar with this? – Pierre Girard, Golden Valley, Minnesota

A: It’s a legitimate Microsoft warning, but it’s being triggered by a Windows 10 error. Several fixes have been suggested:

Disable your PC’s “share across devices” feature, which makes it easy to exchange data with other computers and phones. (See the “settings app” method at tinyurl.com/3dknadj3.)

If you are logging into Windows 10 with your online Microsoft account password, switch to a “local” account that doesn’t depend on your online identity (see tinyurl.com/act82bu4).

Make sure your PC is a “trusted device” that’s listed in your Microsoft account (see tinyurl.com/sykz6wzk). – Star Tribune/Tribune News Service

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 1
Cxense type: free
User access status: 0
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!
   

Next In Tech News

Battery maker Northvolt in talks for over $5 billion in financing -FT
Fake photos of Trump's arrest spread across social media. They were AI generated.
Opinion: Provide a resume, cover letter and access to your brain? The creepy race to read workers’ minds
AI can 'mimic voices' of loved ones – it’s being used as a scam, FCC warns
Elon Musk puts $20 billion value on Twitter - The Information
Preview: Hands-on with 'Final Fantasy XVI'
Review: 'Resident Evil 4' remake improves and keeps spirit of the classic
AI chatbot company Replika restores erotic roleplay for some users
Intel co-founder Gordon Moore, prophet of the rise of the PC, dies at 94
Food photography essentials: First the setting, then the cooking

Others Also Read