I have a question about passwords for online accounts. If I type my password
wrong three times in a row, I can get locked out of my email account until it’s
been reset. So if hackers rapidly try the whole dictionary, why doesn’t the
account get blocked and I get notified of the intrusion? Several of my friends’
email accounts have recently been hacked so it seems and I receive emails
from them (or rather it says it’s from them) with no subject and just a link to
a malware site. I sent them your article about this type of hacking. It could
be a spammer using their email address as a front. However, if I tell my friend
the other two addresses listed are always from the friend’s contact list
and are not necessarily related: one a friend, one a business and another a
relative. Nor were they used in an intercepted mail. So, somehow the hackers
are gaining access to their contacts list without triggering an intrusion
notification. How is this possible? Again, I’ve read your article but it
doesn’t address why an intrusion notification or lockout doesn’t happen if many
different passwords are tried in rapid succession.
In this excerpt from
Answercast #32, I look at some of the methods hackers may be using to hack
into email accounts that completely bypass locks and login limitations.
Passwords in rapid succession
So, yes, if many different passwords are tried in rapid succession, you bet, that account will in all likelihood get locked out.
That implies that’s not necessarily what hackers are doing… or at least they’re not doing it the way you think they’re doing it. It’s not like they’re sitting in front of a computer and trying password, after password, after password.
Hackers bypass safety features
There are several ways that accounts can get hacked that don’t involve this single-access dictionary attack.
I say “single access” because one of the other approaches that hackers will sometimes use is they will perform what I call a “slow dictionary attack” across multiple machines.
Take that definition of “rapid” – three passwords attempts in rapid succession.
If you understand just what “rapid” really means to that email service,
And you throttle back your attempt to be somewhat slower than that,
Then that account never gets locked out.
Admittedly, that means that it takes a really, really long time. So, what you do as a hacker is you try thousands of accounts at the same time. Rather than having three password attacks against the same account within a couple of minutes, you have thousands of password attacks across hundreds of different accounts – so that none of the accounts themselves ever reach that threshold of “too many too fast.”
Keylogging & malware
In reality, I believe that accounts get hacked for other reasons, using techniques other than dictionary attacks.
- One is that the password was used in an open Wi-Fi hotspot and not encrypted.
That means the hacker could have been sitting in a corner and just seen the password fly by.
- Another is that there could be malware on your friend’s machine that’s logging keystrokes.
As your friend types in his password to login – not only does it login – but it then tells the hacker what the password is. And, once again, they gain access to the account.
Another approach is that your friend has an account on some other system that has been hacked in a different way (I’ll talk about that in a minute),
- And they get the same password he uses across all of his accounts.
So, for example, let’s say that he had a password on LinkedIn (since I know LinkedIn had a password breach last year). He had an account and a password on LinkedIn that was breached (in a way that I’ll discuss in a moment) and he used the same password on LinkedIn on as he did on, say, Hotmail.
Hackers know that people do this a lot. They do.
So what they then do is say, “You know what? I found this email address and this password on this service. Let’s go try that same combination on a bunch of other services.”
If it happens to be the same email address, and the same password, on the Hotmail account as it was on the LinkedIn account, then boom, the Hotmail account is also compromised.
The type of attack that I’m talking about with LinkedIn, and with other services where this has happened in the past, is not theft of an individual account:
- What they do is they steal the entire database of account names and passwords.
Now they may not actually get the passwords – although sometimes the database does include the raw password (that’s bad security but it happens). What this allows the hacker to do, then, is to make a copy of that database and throw a bunch of computing resources at it.
There are no limits when you’ve got a database on your machine and you’re trying different passwords to see what works. They can try thousands, or tens of thousands, or hundreds of thousands, of password attempts per second – and finally crack the account.
Once they’ve got that database cracked, from one service, then it’s not uncommon for them to run around to other popular services and see if the same login information that they got on this database (from this cracked account) wouldn’t work on a bunch of others.
So, there’s lots of different ways that passwords can get hacked.
One more thing I want to throw out is the ubiquitous phishing attempt. I see this a lot. Very often people will respond to these emails that say, “Hey, I’m gonna close your account if you don’t respond with your username, and your password, and your social security number, and any number of different things.”
It looks like it’s official, or it looks kind of like it’s official, and you don’t want your account to get closed down – so you respond to the email. Well what you’re responding to is a hacker; and you’ve just given them the login credentials for your account so don’t be surprised if it gets hacked.
So needless to say there are a lot more ways that accounts can get hacked beyond just trying a dictionary attack from a login prompt – because like you said, that typically doesn’t work. That typically causes the account to get locked out fairly quickly.
All of these other approaches typically bypass that completely and allow the hackers, when successful, to hack the account anyway.
Next from Answercast 32 – Are there alternatives to CCleaner’s free space wipe function?