Users getting locked out of their own accounts is an all-too-common scenario. After just a few typos, they can no longer try again until time passes or they reset their passwords with an email. As frustrating as it is, at least it stops hackers — or does it? Statistics suggest otherwise. Over one-third of all Americans have had their social media accounts hacked despite standard attempt limits. Why don’t these protections stop cybercriminals if they can lock out the users themselves, and how can people stay safe? How Account Lockouts Are Supposed to Stop Hackers Account lockouts are supposed to stop a type of hack known as a “brute-force” attack. At its simplest, brute forcing involves trying a string of random inputs until something works. More often than not, cybercriminals use automated tools to do this, which are much faster than manually guessing passwords. The idea behind login attempt limits is that getting a password right will take far more than three or so guesses. Consequently, locking the account after so many attempts theoretically stops brute-force attacks before they succeed. However, things rarely play out this way. How Hackers Get Around Account Lockouts Cybercriminals can get into a password-protected account in several ways. Here are a few strategies they use to get past account lockouts, even in a brute-force attack. Offline Brute-Force Attacks Account lockouts would work if hackers attempted to guess a password on the login screen. The problem is that they don’t often do that. Instead, they perform offline brute-force attacks, where they steal password data and try to break through it in a different environment where there are no attempt limits. Attackers cannot be locked out after multiple failed attempts when they possess the raw encrypted data. That’s because they’re not trying to decrypt it online, where the server has these protections. Rather, they take just the account data and brute force it on their own computer or on a different, unsecured server. These attacks require stealing the passwords from a website first, then using brute force tools to break through the encryption. While that’s more complicated than simply guessing credentials on-site, it gives criminals time. Even if it takes millions of attempts, they can reveal the password in a few days and then login like a normal user on the legitimate site. Unfortunately, it often doesn’t need to take millions of attempts. Despite years of warnings from security experts, “password” is still the most common base term used in passwords, and 18% of passwords contain only lowercase letters. Offline brute-force attacks are often made easier for hackers simply because users don’t follow password length and complexity best practices. Credential Stuffing Another option is to use credential stuffing. Here, hackers take login info they know worked for one account and use it to get into another. They often get those credentials from past data breaches, where other cybercriminals have sold stolen usernames and passwords on the dark web. Just 12% of global internet users always use new credentials when opening a new account. Most people use the same passwords across multiple sites — sometimes all of them. As a result, it’s a safe bet that a stolen passcode will work somewhere else, so hackers can use one to log into an account in just one or two attempts. Social Engineering Hackers can also work around account lockouts through social engineering. This is such a broad category of attacks, so it can cover several strategies to steal or bypass login credentials. The most direct way is to trick users into telling attackers their passwords by posing as a trusted source. Alternatively, cybercriminals may send an email claiming to be from a legitimate site with a link to log into their account. However, the link leads to a fraudulent login page identical to the real one where criminals can see what users type in. Such attacks may seem obvious, but 298,878 people fell for phishing attempts in 2023 alone. That’s more than any other form of cybercrime and suggests social engineering is still highly effective. Keylogging and Man-in-the-Middle Attacks Another way attackers can avoid account lockouts is by watching users as they type in passwords. There are two main approaches here — keylogging software and man-in-the-middle (MITM) attacks. Keyloggers are a form of malware cybercriminals may deliver through phishing, malicious websites, or other means. Once installed, they track what users type, including passwords, which hackers can use to log into people’s accounts in a single attempt. MITM attacks are similar but involve intercepting users’ inputs — which can include passwords — before they reach the server. Encryption can stop these attacks, but public Wi-Fi or unsecured websites are susceptible to them. How Can Users Stay Safe? It’s safe to say account lockouts are not enough to stop hackers. Thankfully, users can protect themselves by following a few other best practices. Better safety starts with using stronger passwords. Experts recommend using random password generators, as these create more complex strings of characters that are harder to brute force. Never reusing passwords and periodically changing them is also a good idea. These steps will make credential stuffing less effective. Users should also enable multifactor authentication (MFA) wherever available. It’s still possible to brute force past MFA, but it’s much harder than getting past a simple username-password combo. Stopping Cybercriminals Is Far From Simple Brute force attacks are not as simple as they seem at first, and defending against them is rarely straightforward. While an account lockout system makes sense in theory, it is not safe enough to be the sole defense in practice. Cybercriminals have many tools at their disposal, so strong protections likewise use multiple ways of staying safe. Pairing login limits with long, complex, and unique passwords, MFA, and frequent credential changes will offer the most security. Users getting locked out of their own accounts is an all-too-common scenario. After just a few typos, they can no longer try again until time passes or they reset their passwords with an email. As frustrating as it is, at least it stops hackers — or does it? Users getting locked out of their own accounts is an all-too-common scenario. After just a few typos, they can no longer try again until time passes or they reset their passwords with an email. As frustrating as it is, at least it stops hackers — or does it? Statistics suggest otherwise. Over one-third of all Americans have had their social media accounts hacked despite standard attempt limits. Why don’t these protections stop cybercriminals if they can lock out the users themselves, and how can people stay safe? one-third of all Americans one-third of all Americans How Account Lockouts Are Supposed to Stop Hackers Account lockouts are supposed to stop a type of hack known as a “brute-force” attack. At its simplest, brute forcing involves trying a string of random inputs until something works. More often than not, cybercriminals use automated tools to do this, which are much faster than manually guessing passwords. The idea behind login attempt limits is that getting a password right will take far more than three or so guesses. Consequently, locking the account after so many attempts theoretically stops brute-force attacks before they succeed. However, things rarely play out this way. How Hackers Get Around Account Lockouts Cybercriminals can get into a password-protected account in several ways. Here are a few strategies they use to get past account lockouts, even in a brute-force attack. Offline Brute-Force Attacks Account lockouts would work if hackers attempted to guess a password on the login screen. The problem is that they don’t often do that. Instead, they perform offline brute-force attacks, where they steal password data and try to break through it in a different environment where there are no attempt limits. Attackers cannot be locked out after multiple failed attempts when they possess the raw encrypted data. That’s because they’re not trying to decrypt it online, where the server has these protections. Rather, they take just the account data and brute force it on their own computer or on a different, unsecured server. cannot be locked out cannot be locked out These attacks require stealing the passwords from a website first, then using brute force tools to break through the encryption. While that’s more complicated than simply guessing credentials on-site, it gives criminals time. Even if it takes millions of attempts, they can reveal the password in a few days and then login like a normal user on the legitimate site. Unfortunately, it often doesn’t need to take millions of attempts. Despite years of warnings from security experts, “password” is still the most common base term used in passwords, and 18% of passwords contain only lowercase letters. Offline brute-force attacks are often made easier for hackers simply because users don’t follow password length and complexity best practices. the most common base term the most common base term Credential Stuffing Another option is to use credential stuffing. Here, hackers take login info they know worked for one account and use it to get into another. They often get those credentials from past data breaches, where other cybercriminals have sold stolen usernames and passwords on the dark web. Just 12% of global internet users always use new credentials when opening a new account. Most people use the same passwords across multiple sites — sometimes all of them. As a result, it’s a safe bet that a stolen passcode will work somewhere else, so hackers can use one to log into an account in just one or two attempts. 12% of global internet users 12% of global internet users Social Engineering Hackers can also work around account lockouts through social engineering. This is such a broad category of attacks, so it can cover several strategies to steal or bypass login credentials. The most direct way is to trick users into telling attackers their passwords by posing as a trusted source. Alternatively, cybercriminals may send an email claiming to be from a legitimate site with a link to log into their account. However, the link leads to a fraudulent login page identical to the real one where criminals can see what users type in. Such attacks may seem obvious, but 298,878 people fell for phishing attempts in 2023 alone. That’s more than any other form of cybercrime and suggests social engineering is still highly effective. 298,878 people fell for phishing attempts 298,878 people fell for phishing attempts Keylogging and Man-in-the-Middle Attacks Another way attackers can avoid account lockouts is by watching users as they type in passwords. There are two main approaches here — keylogging software and man-in-the-middle (MITM) attacks. Keyloggers are a form of malware cybercriminals may deliver through phishing, malicious websites, or other means. Once installed, they track what users type, including passwords, which hackers can use to log into people’s accounts in a single attempt. MITM attacks are similar but involve intercepting users’ inputs — which can include passwords — before they reach the server. Encryption can stop these attacks, but public Wi-Fi or unsecured websites are susceptible to them. How Can Users Stay Safe? It’s safe to say account lockouts are not enough to stop hackers. Thankfully, users can protect themselves by following a few other best practices. Better safety starts with using stronger passwords. Experts recommend using random password generators , as these create more complex strings of characters that are harder to brute force. recommend using random password generators recommend using random password generators Never reusing passwords and periodically changing them is also a good idea. These steps will make credential stuffing less effective. Users should also enable multifactor authentication (MFA) wherever available. It’s still possible to brute force past MFA , but it’s much harder than getting past a simple username-password combo. possible to brute force past MFA possible to brute force past MFA Stopping Cybercriminals Is Far From Simple Brute force attacks are not as simple as they seem at first, and defending against them is rarely straightforward. While an account lockout system makes sense in theory, it is not safe enough to be the sole defense in practice. Cybercriminals have many tools at their disposal, so strong protections likewise use multiple ways of staying safe. Pairing login limits with long, complex, and unique passwords, MFA, and frequent credential changes will offer the most security.

The is an opinion piece based on the author’s POV and does not necessarily reflect the views of HackerNoon.

The Rise of Mental Health Apps: What Are the Consequences?

Inside the Secrets of Physical Penetration Testing

Portfolio

Nominated for 2022 - HackerNoon Contributor of the Year - Data Security

Nominated for 2022 - HackerNoon Contributor of the Year - Cyber Threats

Nominated for 2022 - HackerNoon Contributor of the Year - Media

Nominated for 2022 - HackerNoon Contributor of the Year - Hacking

Too Long; Didn't Read

Download free Tech Leaders Productivity Report!

Why Hackers Aren't Stopped by Account Lockouts

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

10 Common Scams Targeting Healthcare Workers

The Noonification: zkEmail Account in Noir Aztec - Part 1 (9/14/2024)

Defending Your Web App: A Guide to Rate Limiting and Brute Force Attack Prevention

How Azure AD Could Be Vulnerable to Brute-Force and DOS Attacks

Hostile Web Bots: Why Modern Bots are Difficult to Detect and Defeat (and How to Do it Anyway)

10 Common Scams Targeting Healthcare Workers

The Noonification: zkEmail Account in Noir Aztec - Part 1 (9/14/2024)

Defending Your Web App: A Guide to Rate Limiting and Brute Force Attack Prevention

How Azure AD Could Be Vulnerable to Brute-Force and DOS Attacks

Hostile Web Bots: Why Modern Bots are Difficult to Detect and Defeat (and How to Do it Anyway)

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps