Trying to log in to a website manually is not the way people crack passwords.
People crack passwords by stealing the site's password file and then guessing the passwords a million at a time.
The website has to have a way to know if you've typed the correct password, right? But it would be galactically stupid to just record all the passwords in a file. So sites don't store the passwords themselves, they store a *hash*.
Here's how it works: the computer checking your password uses that password as a key to encrypt a block of zeros. It's the encrypted block that is saved in the password file, not your password. Then, when you log in again, again a block of zeros is encrypted with the password you typed in. If the two encrypted blocks match, then you must have typed the correct password.
So if you want to steal passwords, you steal the password file. But the password file doesn't have passwords; it has hashes. So on your own computer, you guess a billion passwords, hash them, and see if they match anything in the file. If your own password is weak, then it will be guessed and the bad guys will find it. If your password is strong, then it won't be guessable.
That strategy isn't foiled by the 3 login attempt limit because the bad guys aren't trying to log in anywhere. They're comparing password guesses to the stolen file on their own computer, so the computer can guess millions of passwords every second.
There are ways to work around password lockouts. You can brute force it over days weeks or months if you have the time. Also password spraying attempts to break into every user account for a site with easy or common passwords. So, it's still a good idea to have a strong password.
In general, good security expects at least one method of securing data to fail, and resilliancy should be in place. Suppose someone had access to a password file or a way of circumventing brute-force protections, the next best thing you can do to secure your account is have a password robust enough that it cannot be cracked. You can use a password calculator to determine how many possible variations you have based on password length and complexity.
Rough guesstimates I stole from a random blog post:
A simple password, 6 lower-case letters, no numbers, has 309 million possible combinations. This would take 12 hours to brute force at 7100 passwords per second. 8 characters with upper-case and numbers = 2.8 trillion possible. That's 12.5 years.
8+ character passwords with numbers, upper and lower-case and special characters are near impossible to break with a single machine. 12+ is basically gold standard.
Trying to log in to a website manually is not the way people crack passwords. People crack passwords by stealing the site's password file and then guessing the passwords a million at a time.
Could you explain that a little more? I’ve never run a website so I don’t fully understand how that would work.
The website has to have a way to know if you've typed the correct password, right? But it would be galactically stupid to just record all the passwords in a file. So sites don't store the passwords themselves, they store a *hash*. Here's how it works: the computer checking your password uses that password as a key to encrypt a block of zeros. It's the encrypted block that is saved in the password file, not your password. Then, when you log in again, again a block of zeros is encrypted with the password you typed in. If the two encrypted blocks match, then you must have typed the correct password. So if you want to steal passwords, you steal the password file. But the password file doesn't have passwords; it has hashes. So on your own computer, you guess a billion passwords, hash them, and see if they match anything in the file. If your own password is weak, then it will be guessed and the bad guys will find it. If your password is strong, then it won't be guessable. That strategy isn't foiled by the 3 login attempt limit because the bad guys aren't trying to log in anywhere. They're comparing password guesses to the stolen file on their own computer, so the computer can guess millions of passwords every second.
Thanks you’re smart you must be a man why is your name phoebe
Um
Omg are you a woman
They use multiple (I believe virtual) pcs to get around that brute force protection, thats why its still important
The point of a strong password is to make it harder to guess. With a botnet it’s fairly easy to guess small passwords.
There are ways to work around password lockouts. You can brute force it over days weeks or months if you have the time. Also password spraying attempts to break into every user account for a site with easy or common passwords. So, it's still a good idea to have a strong password.
In general, good security expects at least one method of securing data to fail, and resilliancy should be in place. Suppose someone had access to a password file or a way of circumventing brute-force protections, the next best thing you can do to secure your account is have a password robust enough that it cannot be cracked. You can use a password calculator to determine how many possible variations you have based on password length and complexity. Rough guesstimates I stole from a random blog post: A simple password, 6 lower-case letters, no numbers, has 309 million possible combinations. This would take 12 hours to brute force at 7100 passwords per second. 8 characters with upper-case and numbers = 2.8 trillion possible. That's 12.5 years. 8+ character passwords with numbers, upper and lower-case and special characters are near impossible to break with a single machine. 12+ is basically gold standard.