Users getting locked out of their own accounts is an all-too-common scenario. After just a few typos, they can no longer try again until time passes or they reset their passwords with an email. As frustrating as it is, at least it stops hackers — or does it?
Statistics suggest otherwise. Over
Account lockouts are supposed to stop a type of hack known as a “brute-force” attack. At its simplest, brute forcing involves trying a string of random inputs until something works. More often than not, cybercriminals use automated tools to do this, which are much faster than manually guessing passwords.
The idea behind login attempt limits is that getting a password right will take far more than three or so guesses. Consequently, locking the account after so many attempts theoretically stops brute-force attacks before they succeed. However, things rarely play out this way.
Cybercriminals can get into a password-protected account in several ways. Here are a few strategies they use to get past account lockouts, even in a brute-force attack.
Account lockouts would work if hackers attempted to guess a password on the login screen. The problem is that they don’t often do that. Instead, they perform offline brute-force attacks, where they steal password data and try to break through it in a different environment where there are no attempt limits.
Attackers
These attacks require stealing the passwords from a website first, then using brute force tools to break through the encryption. While that’s more complicated than simply guessing credentials on-site, it gives criminals time. Even if it takes millions of attempts, they can reveal the password in a few days and then login like a normal user on the legitimate site.
Unfortunately, it often doesn’t need to take millions of attempts. Despite years of warnings from security experts, “password” is still
Another option is to use credential stuffing. Here, hackers take login info they know worked for one account and use it to get into another. They often get those credentials from past data breaches, where other cybercriminals have sold stolen usernames and passwords on the dark web.
Just
Hackers can also work around account lockouts through social engineering. This is such a broad category of attacks, so it can cover several strategies to steal or bypass login credentials.
The most direct way is to trick users into telling attackers their passwords by posing as a trusted source. Alternatively, cybercriminals may send an email claiming to be from a legitimate site with a link to log into their account. However, the link leads to a fraudulent login page identical to the real one where criminals can see what users type in.
Such attacks may seem obvious, but
Another way attackers can avoid account lockouts is by watching users as they type in passwords. There are two main approaches here — keylogging software and man-in-the-middle (MITM) attacks.
Keyloggers are a form of malware cybercriminals may deliver through phishing, malicious websites, or other means. Once installed, they track what users type, including passwords, which hackers can use to log into people’s accounts in a single attempt.
MITM attacks are similar but involve intercepting users’ inputs — which can include passwords — before they reach the server. Encryption can stop these attacks, but public Wi-Fi or unsecured websites are susceptible to them.
It’s safe to say account lockouts are not enough to stop hackers. Thankfully, users can protect themselves by following a few other best practices. Better safety starts with using stronger passwords. Experts
Never reusing passwords and periodically changing them is also a good idea. These steps will make credential stuffing less effective.
Users should also enable multifactor authentication (MFA) wherever available. It’s still
Brute force attacks are not as simple as they seem at first, and defending against them is rarely straightforward. While an account lockout system makes sense in theory, it is not safe enough to be the sole defense in practice.
Cybercriminals have many tools at their disposal, so strong protections likewise use multiple ways of staying safe. Pairing login limits with long, complex, and unique passwords, MFA, and frequent credential changes will offer the most security.