We as individual users are often limited by our own perspective when considering security questions. Take, for example, this question: “How likely it is that somebody will break into my account by guessing my password?”
In general, we as individuals (both users and developers) approach this question by placing ourselves as the center of reference. Thus we imagine something along these lines: “Well, the attacker will make one try, but my password is not too bad. Then the attacker will try again, and again… And there is no way that my password will be guessed in three tries before my account is locked out! Conclusion: the lockout feature works. System secure!”
An attacker does not approach this question by giving preference to a specific account –not even your account. An experienced attacker proceeds by using a dictionary of commonly used passwords, and then trying frequently used passwords, attacking each individual user only a few times a day or a week, but attacking many different users all in parallel.
How effective is this attack? By not concentrating on an individual user, accounts will not be locked out. Yet, because some folks like to use common passwords, these attacks are almost guaranteed to be effective.
For example, the string “123456” amounts to around 0.9 % of all passwords (Boneh, Stanford, 2014) and the top 25 passwords are used by 2.2% of all users (Burnett, Splashdata, 2015). This explains why botnets can easily pry open many accounts in a matter of minutes.
This different perspective, seeing the entire system –not only scenarios concerning a single user– is key to improving security. And the lesson for individual users is, of course, to pick longer and complex passwords.
Mindset, Courtesy Stuart Miles
Outside the Box, Courtesy Master Isolated Images