Why Hackers Aren't Stopped by Account Lockouts

Users getting locked out of their own accounts is an all-too-common scenario. After just a few typos, they can no longer try again until time passes or they reset their passwords with an email. As frustrating as it is, at least it stops hackers — or does it?

Statistics suggest otherwise. Over one-third of all Americans have had their social media accounts hacked despite standard attempt limits. Why don’t these protections stop cybercriminals if they can lock out the users themselves, and how can people stay safe?

How Account Lockouts Are Supposed to Stop Hackers

Account lockouts are supposed to stop a type of hack known as a “brute-force” attack. At its simplest, brute forcing involves trying a string of random inputs until something works. More often than not, cybercriminals use automated tools to do this, which are much faster than manually guessing passwords.

The idea behind login attempt limits is that getting a password right will take far more than three or so guesses. Consequently, locking the account after so many attempts theoretically stops brute-force attacks before they succeed. However, things rarely play out this way.

How Hackers Get Around Account Lockouts

Cybercriminals can get into a password-protected account in several ways. Here are a few strategies they use to get past account lockouts, even in a brute-force attack.

Offline Brute-Force Attacks

Account lockouts would work if hackers attempted to guess a password on the login screen. The problem is that they don’t often do that. Instead, they perform offline brute-force attacks, where they steal password data and try to break through it in a different environment where there are no attempt limits.

Attackers cannot be locked out after multiple failed attempts when they possess the raw encrypted data. That’s because they’re not trying to decrypt it online, where the server has these protections. Rather, they take just the account data and brute force it on their own computer or on a different, unsecured server.

These attacks require stealing the passwords from a website first, then using brute force tools to break through the encryption. While that’s more complicated than simply guessing credentials on-site, it gives criminals time. Even if it takes millions of attempts, they can reveal the password in a few days and then login like a normal user on the legitimate site.

Unfortunately, it often doesn’t need to take millions of attempts. Despite years of warnings from security experts, “password” is still the most common base term used in passwords, and 18% of passwords contain only lowercase letters. Offline brute-force attacks are often made easier for hackers simply because users don’t follow password length and complexity best practices.

Credential Stuffing

Another option is to use credential stuffing. Here, hackers take login info they know worked for one account and use it to get into another. They often get those credentials from past data breaches, where other cybercriminals have sold stolen usernames and passwords on the dark web.

Just 12% of global internet users always use new credentials when opening a new account. Most people use the same passwords across multiple sites — sometimes all of them. As a result, it’s a safe bet that a stolen passcode will work somewhere else, so hackers can use one to log into an account in just one or two attempts.

Social Engineering

Hackers can also work around account lockouts through social engineering. This is such a broad category of attacks, so it can cover several strategies to steal or bypass login credentials.

The most direct way is to trick users into telling attackers their passwords by posing as a trusted source. Alternatively, cybercriminals may send an email claiming to be from a legitimate site with a link to log into their account. However, the link leads to a fraudulent login page identical to the real one where criminals can see what users type in.

Such attacks may seem obvious, but 298,878 people fell for phishing attempts in 2023 alone. That’s more than any other form of cybercrime and suggests social engineering is still highly effective.

Keylogging and Man-in-the-Middle Attacks

Another way attackers can avoid account lockouts is by watching users as they type in passwords. There are two main approaches here — keylogging software and man-in-the-middle (MITM) attacks.

Keyloggers are a form of malware cybercriminals may deliver through phishing, malicious websites, or other means. Once installed, they track what users type, including passwords, which hackers can use to log into people’s accounts in a single attempt.

MITM attacks are similar but involve intercepting users’ inputs — which can include passwords — before they reach the server. Encryption can stop these attacks, but public Wi-Fi or unsecured websites are susceptible to them.

How Can Users Stay Safe?

It’s safe to say account lockouts are not enough to stop hackers. Thankfully, users can protect themselves by following a few other best practices. Better safety starts with using stronger passwords. Experts recommend using random password generators, as these create more complex strings of characters that are harder to brute force.

Never reusing passwords and periodically changing them is also a good idea. These steps will make credential stuffing less effective.

Users should also enable multifactor authentication (MFA) wherever available. It’s still possible to brute force past MFA, but it’s much harder than getting past a simple username-password combo.

Stopping Cybercriminals Is Far From Simple

Brute force attacks are not as simple as they seem at first, and defending against them is rarely straightforward. While an account lockout system makes sense in theory, it is not safe enough to be the sole defense in practice.

Cybercriminals have many tools at their disposal, so strong protections likewise use multiple ways of staying safe. Pairing login limits with long, complex, and unique passwords, MFA, and frequent credential changes will offer the most security.