Can a hacker use a brute-force attack to steal an online password?
- 17 February, 2014 17:11
Harish Kumar asked if a brute force attack--which tries random text strings until one turns out to be your password--would work on major websites. "Will Facebook allow millions of failed attempts?"
We all know that cybercriminals successfully hack Facebook, Twitter, Google, and Microsoft accounts. In one recent three-day period, two readers emailed me for advice on recovering their hacked Twitter accounts. (I point them to Your Twitter account has been hacked! Here's what to do about it.)
[Email your tech questions to firstname.lastname@example.org.]
Most successful attacks come not from brute force but from social engineering--tricking you into giving away your password. It doesn't work with everybody, but it works with the gullible. For more on this, see Christopher Null's The moral of the Twitter-GoDaddy breach: People are the easiest thing to hack.
As a rule, websites don't lend themselves to brute-force attacks. Each guess at a password will take several seconds to come up true or false. At that rate, even hacking a four-digit number could take 15 to 20 hours. And long before that, any decently-designed site will recognize what's going on and shut down the account.
Yet people claim to have successfully done it, finding ways to bypass all of the safeguards. See How to Brute Force hacking Facebook in Kali Linux for one such claim.
And no, I didn't try it. I suspect that if this technique ever worked, it doesn't anymore. Facebook would immediately plug whatever vulnerability made it possible. Of course, that's no guarantee that other flaws won't be discovered in the future.
Keep in mind that if you turn on Facebook's Login Approvals (which you'll find on the Security Settings page), someone who steals your password still won't have access to your account. With this two-step verification, accessing your account requires not only your password but also your cellphone (not the number, but the actual phone).
But if brute force isn't practical, why bother with strong passwords? The whole point of creating a very long and difficult password is to make a brute force attack impractical. (See Learn to use strong passwords for more on this.)
I put that question to security expert Bruce Schneier. He told me that "Regardless of what else is going on, I would choose a long and difficult password for anything important."
I agree. On one level, it's simply a good habit. And besides, it's one more layer of protection in a world where we never know when another layer will be peeled away.