I've often wondered how hackers bypass brute-force protection at login sites. This exchange addresses that question.
Request to "explain like I'm five":
"With 26 letters in the English alphabet, a password of 4 letters would have 264 possible combinations. And that is for 1 given username. That's a lot.Login forms could also have a brute-force protection that disables password guessing after about 10 attempts from a given IP or username.Still, websites often ask for 8 letters, lower/upper case, numbers, symbols, etc... It seems a bit of an over-kill, but this is very common. Can anyone explain?
While ~457,000 sounds like just an absolutely unfathomably large number to a human, that's actually child's play when it comes to computers. Kasperky Labs estimates that an average computer that's not even particularly specialized to password cracking can attempt roughly 7100 passwords every second. That means it could figure out a 4-letter single-case password in at most 65 seconds. I'm sure you can see why that's not very desirable.Even just stepping up to a six-character password where lower case, upper case, and numbers (but no symbols) are allowed slows down an average computer's brute force attack to 3.5 days. This can be sped up by using known tables of common passwords that people use over and over again, or even just using a dictionary attack since most people use a password that's a word or some variant thereof (e.g. they might use "acc1d3nt" instead of "accident," but a good dictionary attack can account for these variants too).And that's all to say nothing of the fact that people who make their living by cracking people's passwords are going to have specialized hardware that can crack passwords even faster. In 2012, ArsTechnica wrote an article about a then-new supercomputer that could guess up to 350 billion passwords every second (meaning the 6-character password from before could be cracked in a fraction of a second). And you can surely imagine that even more powerful hardware exists now, 8 years on.Most websites also have a brute-force protection that disables password guessing after about 10 attempts.This is true, but again people who make their living cracking passwords have ways of circumventing this. Explaining the exact specifics would probably make this explanation not ELI-5 anymore, but the basic gist is that they don't actually crack your password by going to the website and entering each potential password one at a time. Else, as you mentioned, they'd get locked out and that would make the process take a long long time.Rather, what they usually do is they get their hands on a master password list directly from the source. This can sometimes come from a leaker who works for a particular company, but most often it comes from hackers breaking into to the company's database and getting the master list file that way. Now thankfully, any company worth their salt encrypts said password list, but that turns out not to really be a problem for hackers.Most of the time hackers know what encryption algorithm a particular website uses to secure their passwords (e.g. the ArsTechnica article mentions that LinkedIn uses the SHA-1 algorithm. Obviously, this may no longer be the case today, but it was true as of 2012). Given this information, they can use their brute force password generator and run each one through the encryption algorithm until they find one that outputs the same string as one of the passwords in the list - they then know that user's password.In addition to all of that, sometimes companies utterly fail at security and don't follow the industry best practices for securely storing passwords...
More at the explainlikeimfive subreddit discussion thread.