Ask Leo! #673 – How Can a Hacker Try All Possible Passwords If Systems Block the Login Attempts?

This Week

Most systems will block you after a few bad password attempts. We'll look at how how hackers bypass that restriction. We'll also pull together the series of articles published over the last few months in a top-to-bottom backup for Windows 10, using only its built in tools.

What I'm Reading

The Shallows: What the Internet Is Doing to Our Brains

The Shallows: What the Internet Is Doing to Our Brains is a fascinating look at how our technology is actually changing the way we think. It's neither good nor bad, just different. And it's nothing new -- almost every major technological change over the past few hundred years has had comparable impact. I'm finding it a compelling read.

How Can a Hacker Try All Possible Passwords If Systems Block the Login Attempts?


I understand that my password, especially if it's not very strong, can likely be figured out by a computer driven program using trial and error. For example, all permutations, combinations of numbers, letters and special characters. What I don't understand is this – wouldn't a hacker, be it a person or a machine, have to actually try each and every one of these computer derived guesses on the sign-in screen of the website that they are trying to access to see if they get lucky? My experience tells me that after just a few failed attempts at entering a password, the website will not allow any more tries. So how in the heck are they able to try out all of the thousands of possible passwords that he comes up with?

What you've described is called a “brute force attack”, and you're quite right; it's a rare system that allows such an attack to proceed past the first few errors.

However, hackers have other options.

Simple brute force

As you said, this type of attack involves the hacker trying to log in using your user ID with every possible password in turn.

Most good systems note that the same person has tried to log in unsuccessfully too many times and lock the account, either for a few minutes or an extended period of time. A brute force attack is most often attempted using a computer, so locking the account for just a few minutes makes even the fastest automated attack impractical.

But to be honest, even when systems are operating at full speed, the log-in process is usually slow enough on its own to make this type of brute force attempt impractical anyway.

Not surprisingly, it's not what hackers do. If they're going to attack by simply logging in, they'll stack the deck instead.

Targeted brute force

You've probably seen those reports that come out every year revealing the top 100 most popular passwords. We use it as an example of how awful these popular passwords really are.

Don't use them.

But those lists are just the top 100. Hackers can and do “stack the deck” by taking the top 1,000 or 10,000 or 100,000 passwords and trying them in order of popularity. Given how many people use bad passwords, it's worth the hackers' time to try them, even if there are periodic delays.

Just the top 1,000 passwords tried against a large number of accounts will probably get them access to a surprisingly and depressingly large number of accounts.

But there's a very practical and reasonable way for hackers to try every possible password. They do it by stealing user account databases.

How passwords are stored

We need to focus on an important definition before we proceed.

I've talked and written before about how most services store your password. They create what's called a hash of the password.

Think of a hash as a kind of a one-way encryption that can't be undone. You can create a hash from a password, but you can't get the password from the hash. And it's statistically impossible1 for two passwords to generate the same hash.

When you set your password, the service creates the hash associated with it and stores the hash, not your actual password.

When you log in, the service again creates the hash of whatever you typed in as your password. It compares this hash with the hash it created when you set your password. If those two hashes match, then you must have typed in the same password this time as you did when you created the password in the first place.

In other words, if the hashes match, you typed in the right password, and the system allows you to log on.

Databases of passwords

Now that we've seen how passwords are stored, we can look at how hackers leverage that approach to their advantage.

You've probably heard about various data breaches at large companies. A hacker gets in and gains access to things they're not supposed to.

One of the goals of most of these breaches is to get a copy of the user account database. That's the list of user IDs and password hashes. Once they have a copy of that database, they can go to work.

Later, on their own computers, and at extremely high speed, they literally try every possible password. With each attempt, they create the hash; then they see if it's in the database they just stole. If it is, they now know the password for the user account that had that hash; it's the password that created the hash like they just did.

This is where password length and complexity come into play.

It's currently feasible to try all possible eight-character passwords in a short amount of time. That's why most industry experts now say 12 characters is the new minimum length of a password. The amount of time required to try them all increases exponentially each time you add a character to the length. It's just not practical for hackers to try all possible 12-character passwords today. It would take years, even with the best equipment.

So, yes, there are absolutely scenarios where hackers can and do try all possible passwords. They just don't do it by trying to log in with each one. Using those stolen user account databases, they work offline to figure out your password's hash. When they later arrive at the log-in screen, they know exactly what to type in, and only need one try to get into your account successfully.

It all comes down to good passwords

The lesson here, of course, is to choose long, complex passwords. The longer the better, in fact. I now use passwords with 20 random characters whenever I can. I let LastPass create and remember them for me.

Yes, it's possible that even those can be compromised by malware such as keyloggers, which is why I also advise adding two-factor authentication to your important accounts. With two-factor authentication enabled, even knowing the password isn't enough to get in.

Related Links & Comments: How Can a Hacker Try All Possible Passwords If Systems Block the Login Attempts?

Become a Patron - Get The Ask Leo! Tip of the Day

An Eight-step Back-up Plan Using Windows 10's Built-In Tools

I'm sure you're aware by now that I'm a huge fan of backing up.

Microsoft Windows includes several tools that, used together, can provide a suitable backup strategy to protect you from most of the things that can go wrong.

Let's review what it means to use those tools together properly and get you backed up. We'll also review the impact of Microsoft's decision to phase out one of those tools.

Continue Reading: An Eight-step Back-up Plan Using Windows 10's Built-In Tools

The Ask Leo! Tip of the Day

A feature exclusively available to Ask Leo! Patrons Bronze level & above.

More Ask Leo!

Become a Patron
Books - Business - Glossary
Facebook - YouTube - More..

Leo's Other Projects....

HeroicStories Since 1999, HeroicStories brings diverse, international voices to the world ' reminding us that people are good, that individuals and individual action matter. Stories - new and old - are published twice a week.

Not All News Is Bad - Each day I look for one story in the current news of the day with a positive bent. Just one. And I share it. - My personal blog. Part writing exercise, part ranting platform, it's where I write about anything and everything and nothing at all.

Help Ask Leo! Just forward this message, in its entirety (but without your unsubscribe link below) to your friends. Or, just point them at for their own FREE subscription!

Newsletter contents Copyright © 2017,
Leo A. Notenboom & Puget Sound Software, LLC.
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC

Posted: October 10, 2017 in: 2017
« Previous post:
Next post: »

New Here?

Let me suggest my collection of best and most important articles to get you started.

Of course I strongly recommend you search the site -- there's a ton of information just waiting for you.

Finally, if you just can't find what you're looking for, ask me!

Confident Computing

Confident Computing is the weekly newsletter from Ask Leo!. Each week I give you tools, tips, tricks, answers, and solutions to help you navigate today’s complex world of technology and do so in a way that protects your privacy, your time, and your money, and even help you better connect with the people around you.

The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition

Subscribe for FREE today and claim your copy of The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition. Culled from the articles published on Ask Leo! this FREE downloadable PDF will help you identify the most important steps you can take to keep your computer, and yourself, safe as you navigate today’s digital landscape.

My Privacy Pledge

Leo Who?

I'm Leo Notenboom and I've been playing with computers since I took a required programming class in 1976. I spent over 18 years as a software engineer at Microsoft, and after "retiring" in 2001 I started Ask Leo! in 2003 as a place to help you find answers and become more confident using this amazing technology at our fingertips. More about Leo.