I’ve definitely found myself saying it as I sweat over trying to remember what my stupid password is on some seldom-used site I need info from:

“If even I can’t figure out how to log in to my account, how could any hacker have a chance?”

How can hackers try thousands of passwords when trying to hack something, but my account gets locked after 5 tries when I do it?
byu/supergolum inNoStupidQuestions

Well hold on, because we’re about to get technical with the help of Reddit.

1. Hashing it out.

Usually sites don’t store your password directly, they store a hash of your password. The hash is a number which is derived from your password using an algorithm.

When you log in, it’s very easy to convert your password to a hash and check it matches. But it’s very, very difficult to figure out what the password was from a hash. Generating a hash is a one-way operation.

So if someone hacks into a website they might be able to get those password hashes. That by itself isn’t enough to break into your account because they still need a password, the hash alone isn’t enough.

But what it does mean is they can keep hashing lots and lots of passwords to try to find one which generates a matching hash. They don’t need to actually enter passwords into the site to do that, they can run the hashing algorithm themselves. So it gets around any limitations like account locking.

– Psyk60

2. There are many ways.

Yeah there are tons of ways [to hack in].

Many sites only block you from trying multiple passwords on 1 account let’s say 5 times. But they don’t block you from trying 1 password on multiple accounts at all. So people can gather a very large list of login names (such as emails or just account names) and then try 5 commonly used passwords on that very large list of login names.

– GreenBlueEyedDog

3. Trade up.

Another easy way is to first target fan sites/forums/message boards. For example (and I’m just making this all up), there are tons stock trading forums. Almost every forum software has public exploits which can allow someone to gain access to the database which will then give access to emails and passwords.

You can then theoretically take those lists of emails and passwords and make a program to try them on common trading platforms such as Robinhood, etrade, or anything. People tend to use their same email and password pretty much everywhere, and when you’re working with that large of a dataset you’re bound to get hits.

And again, most websites don’t have any block protection for trying different login names so it’s fast and easy to do this.

– GreenBlueEyedDog

4. Proxy magic.

Another option is to use proxies. It can be quite a bit slower but there are places you can purchase large amounts of IP addresses and ports that a password cracker can connect to which allows the login attempt to be made through that IP.

With a list of 2000 IPs, you can theoretically make over 100k login attempts in an hour, or running 24/7 2.4 million attempts in a day.

– GreenBlueEyedDog

5. Outdated methods?

So the approach you’re describing essentially involves some code that just tries a metric f*ckton of possible passwords in the hope that the correct password is guessed eventually through brute force. This approach used to be quite effective but nowadays most major websites and organisations have limits on how often you can fill in a password for this exact reason.

Some older websites will not have the limit and I believe others have a system where you can only try a password once every few seconds because the code that the hackers use to brute force their way in usually tries thousands of combinations a second.

– diatomicsoda

6. Thieves in the night.

They steal the data they need to break in (like your hashed password, what the site stores), and work on it remotely, where there is no 5-try limit.

– bazmonkey

7. Weaker websites.

They try to break passwords on weaker websites or on leaked hashes and then escalate the attack to other websites hoping you use the same password (way too many people do).

Use a password manager and random passwords everywhere.

– akulowaty

8. Gone phishing.

Phishing: Often hackers don’t even both guessing- they’ll create fake web pages or inject scripts into website that will just send your password directly to them.

This is why you should be very hesitant when clicking on links you don’t trust.

– AudreyIsDumb

9. It’s not about you.

The trick is they don’t want a particular account. If they tried brute forcing YOUR account. They’d be blocked like you.

So you have version one of this which is called password spraying. This usually goes along with having a bunch of usernames available to them. So they brute force attack the password, but they run every iteration across all accounts they have a username for. This spreads things out and avoids triggering action for a lot of places because often it is tries in a short time period, not an absolute number of consecutive wrong attempts.

If the system has an absolute number of failed consecutive attempts set up for lock out, they will trigger lock out of your account.

Version two of brute forcing requires them to have the encrypted password file. In this case, they get all the tries in the world until the heat death of the universe. If they manage to match it, they then go to the UI and log in. No failed attempts to lock you out.

Alternatively, you did something stupid like reuse passwords and username. You set up a log in over on some low quality web site like a cheap phpbb forum for fans of rainbow colored lemurs. They compromise that, have your password for that site and an email address, and then hit up everything interesting like banks, credit card sites, gmail, etc with that pair. It works or it doesn’t and the hit and run attempt isn’t likely to trigger a block.

– raz-0

10. What’s the hardware?

Depends on the hardware/OS platform that handles the log in. Back when I was a sysadmin, the best security software in the industry ran on IBM mainframes. If you ever hit a three strikes and you’re out situation, a mainframe was handling your login.

If it were a UNIX box or god-forbid a Windows server, have at it. Nothing was counting.

Most websites use SQL to handle anything typed into a field, and that could connect to anything. But most servers on the Net are either UNIX or Windows machines.

That tells you most you need to know.

– newsjunkie102

11. Social engineering.

The Brute Force method isn’t used nearly as much anymore. The new trick is to is what is called Social Engineering to get people to divulge their passwords or other info. “hacking” is not a real thing. Nowadays security breaches happen because of human failings.

If I wanted to “hack” someones accounts I wouldn’t set up a complex algorithm, I’d set up a complex lie.

– NRG_Factor

12. PSA!

PSA: As long as we’re talking about hacking passwords, I’d like to discuss the importance of 2-factor authentication.

Even if a hacker finds your password, a properly implemented 2FA methodology will still prevent them from accessing your account.

Username / password alone is not safe.

– Beauregard_Jones

13. Close calls.

My computer at work has 3 wrong times and then you are locked out resulting in a lengthy phone call to the help centre in India to unlock it.

The other day i mistakenly entered the old password twice without thinking, realising what i had just done meant i have never entered the third try so carefully as that time as i had a conference call scheduled in a few minutes time with my boss.

– moondog1967

14. Of course!

Because they’re hackers, duh

– thesleepingtigress

15. That’s good hash.

I like salt and a little pepper on my hash browns

– benmarvin

So the important takeaways here seem to be:
• Don’t repeat your passwords on different sites
• Use a password manager to help make this easier
• Turn on two-factor authentication wherever you can
• If strangers on the internet start asking you weirdly personal questions…don’t answer them.

What are some other password best practices?

Drop ’em in the comments.