What you’ve described is called a “brute force attack”, and you’re quite right; it’s a rare system that allows such an attack to proceed past the first few errors.
However, hackers have other options.
Simple brute force
As you said, this type of attack involves the hacker trying to log in using your user ID with every possible password in turn.
Most good systems note that the same person has tried to log in unsuccessfully too many times and lock the account, either for a few minutes or an extended period of time. A brute force attack is most often attempted using a computer, so locking the account for just a few minutes makes even the fastest automated attack impractical.
But to be honest, even when systems are operating at full speed, the log-in process is usually slow enough on its own to make this type of brute force attempt impractical anyway.
Not surprisingly, it’s not what hackers do. If they’re going to attack by simply logging in, they’ll stack the deck instead.
Targeted brute force
You’ve probably seen those reports that come out every year revealing the top 100 most popular passwords. We use it as an example of how awful these popular passwords really are.
Don’t use them.
But those lists are just the top 100. Hackers can and do “stack the deck” by taking the top 1,000 or 10,000 or 100,000 passwords and trying them in order of popularity. Given how many people use bad passwords, it’s worth the hackers’ time to try them, even if there are periodic delays.
Just the top 1,000 passwords tried against a large number of accounts will probably get them access to a surprisingly and depressingly large number of accounts.
But there’s a very practical and reasonable way for hackers to try every possible password. They do it by stealing user account databases.
How passwords are stored
We need to focus on an important definition before we proceed.
I’ve talked and written before about how most services store your password. They create what’s called a hash of the password.
Think of a hash as a kind of a one-way encryption that can’t be undone. You can create a hash from a password, but you can’t get the password from the hash. And it’s statistically impossible1 for two passwords to generate the same hash.
When you set your password, the service creates the hash associated with it and stores the hash, not your actual password.
When you log in, the service again creates the hash of whatever you typed in as your password. It compares this hash with the hash it created when you set your password. If those two hashes match, then you must have typed in the same password this time as you did when you created the password in the first place.
In other words, if the hashes match, you typed in the right password, and the system allows you to log on.
Databases of passwords
Now that we’ve seen how passwords are stored, we can look at how hackers leverage that approach to their advantage.
You’ve probably heard about various data breaches at large companies. A hacker gets in and gains access to things they’re not supposed to.
One of the goals of most of these breaches is to get a copy of the user account database. That’s the list of user IDs and password hashes. Once they have a copy of that database, they can go to work.
Later, on their own computers, and at extremely high speed, they literally try every possible password. With each attempt, they create the hash; then they see if it’s in the database they just stole. If it is, they now know the password for the user account that had that hash; it’s the password that created the hash like they just did.
This is where password length and complexity come into play.
It’s currently feasible to try all possible eight-character passwords in a short amount of time. That’s why most industry experts now say 12 characters is the new minimum length of a password. The amount of time required to try them all increases exponentially each time you add a character to the length. It’s just not practical for hackers to try all possible 12-character passwords today. It would take years, even with the best equipment.
So, yes, there are absolutely scenarios where hackers can and do try all possible passwords. They just don’t do it by trying to log in with each one. Using those stolen user account databases, they work offline to figure out your password’s hash. When they later arrive at the log-in screen, they know exactly what to type in, and only need one try to get into your account successfully.
It all comes down to good passwords
The lesson here, of course, is to choose long, complex passwords. The longer the better, in fact. I now use passwords with 20 random characters whenever I can. I let LastPass create and remember them for me.
Yes, it’s possible that even those can be compromised by malware such as keyloggers, which is why I also advise adding two-factor authentication to your important accounts. With two-factor authentication enabled, even knowing the password isn’t enough to get in.