ELI5: How is "brute forcing" a password possible when most devices lock you out after a few failed attempts?
Brute forcing works because hackers often attack the website’s server instead of your phone, or they use tricks like trying one password on many accounts to avoid getting locked out.
Think of it like a lock on your front door. If you try to open it with the wrong key three times, the door might beep and stop letting you try. That’s your device’s lockout. But hackers don’t usually try keys on your actual door. Instead, they try to pick the lock at the neighbor’s house (the website’s server) where there’s no alarm, or they use a magic list of keys that other people already lost.
Here is how they sneak past the lockout:
- Attacking the server, not the device: When you log into a website, your phone sends your password to the website’s big computer (server). That computer might not have a lockout rule, so the hacker’s robot can try billions of guesses per second there [1][4].
- Password spraying: Instead of trying 1,000 passwords on one person (which would lock them out), the hacker tries one common password like "123456" on 1,000 different people. Since they only try once per person, no one gets locked out [3][7].
- Using leaked lists: Most hackers don’t guess randomly. They use lists of real passwords that were stolen from other sites. If you use the same password everywhere, the robot just tries that one real password and gets in instantly [2][5].
- Offline cracking: Sometimes hackers steal the website’s password list and try to guess the passwords on their own super-fast computer, where no lockout rules exist at all [1].
How was this explanation?
Follow-Up Questions
Still curious? Ask a follow-up!
Test Your Understanding
Take a quick quiz and challenge your friends!
📧 Get this explanation by email
Receive this explanation in your inbox, plus get weekly simple explanations of trending topics!