‘Couldn’t someone run billions of combinations to get access? or is that just in the movies’
That works with old systems. I hope and pray Obama hasn’t kept us THAT antiquited.
But I’m not a tech guy.
Palmer is.
My fuzzy understanding is this:
Modern systems are protected through offering you only a few chances — like four — within a short period of time. Then there are ‘cool down’ periods which can get longer and longer. That prevents ‘powering’ as I understand it.
The concept of powering began as an automatic safe cracking machine. It had a spinner [probably not the right term but ...], an automated spinning machine modeled after a lathe that you put on the safe’s dial. It would ‘power’ its way through every possible number to cause each tumbler to ‘click’.
Even better if an attacker fails with some number of obvious passwords (e.g. pass, password, pass123, changeme, etc) then the remote system can determine that it is being attacked. At that point the remote system can redirect the attacker into a honeypot. Now the trick is to fool the attacker into thinking they got in when they did not. That means presenting delicious looking data that is actually fake. The whole idea is to waste the attacker's time and computing resources in a giant dead end.
Even better is to draw the attacker into the honeypot and then assume that the attacker uses insecure code to parse the data that they steal. Then present the attacker with delicious looking data that actually contains your own trojan horses. The attacker steals the data and starts to parse it on their machine and the data exploits a weakness in their parse and takes over their machine. Now you are not just wasting the attacker's time, but you are potentially destroying some of their capability.