My company locks my access to my computer after three failed log in attempts. In addition, I have a separate log on to my computer, have a separate log on to the system and yet another separate log on to our VPN network if working remotely. All have three failed try lock outs. You have to call a company system administrator by telephone and request unlocking to regain access to the system. All three change passwords every couple months at different frequencies.
I mention this because unsaid in this article is the fact that the AI password guessing software seems to have unlimited attempts to access a computer/system with no lock out to impede them while it goes through its algorithm-driven computational gymnastics while guessing at a password.
I don’t.
Does anyone know how these AI password systems fare in a limited attempt lockout controlled access system?
Every financial institution with which I do business does the same, three failed login attempts and you’re locked out, please call (number) to confirm identity and regain access. They have quite a litany of questions, too, several of which would not be possible to guess. The only way a potential hacker would know, would be if you’d saved it on your system and they’d not just gained access to it, but knew what it was and where it was used. My credit union asks how I first heard of them, when I signed up and why, in addition to address, next of kin listed on the account, and they ask for the account number, they’ll never assume.
I have a device with a password that has exponential pauses between attempts. The first pause is one second. The second is two, third would be four seconds. And so on. So if you are guessing, it’s going to be a long time before you can overwhelm it.
Hmm, it sounds like your company is pretty lax when it actually comes to resetting your password.
If I lock myself out of the system, I physically have to go to the IT department and have my fingerprint scanned before they will unlock it. And we have 2-step authentication at work: our CAC card and a PIN. It is conceivable that one could guess the PIN, but the card encryption is more difficult to crack--especially since I keep my card in an RFID proof sleeve when I am not using it. Yes, I do work for the government.
Most of the time, hackers use something like this AI tool to guess a list of passwords on some insecure site with a lot of users like instagram, linkedin, wordpress etc... then they will take that list along with your profile to try them on bank sites etc trying two logins and then waiting 20 minutes, change ips etc... that script runs for days until they get into a couple of the interesting sites.
Only the people that use the same password on the insecure sites and the secure sites will be vulnerable.