User Names and Passwords
There are a number of ways for hackers to discover user names. These names are used for various purposes and are publicly accessible. But a hacker can't do anything with just a user name. He also needs a password. In most cases, a hacker can't do anything even if he has your user name and password. That's because most accounts don't have enough privileges on the system to do anything harmful.
But that doesn't stop them. Hackers continue to gather user names and guess passwords in hopes of getting into an account that does have system privileges. To do this, they guess passwords of account after account until they find what they are looking for. Of course, if you have an account named Admin, they will start there and get in all that much more quickly. So first off, name your admin account something other than Admin.
But how can hackers guess passwords? Unfortunately, that is far easier than it sounds. Most people choose very poor passwords. A great many people use "password" for their password. Hackers have lists of the most commonly used passwords and that alone can get them in to quite a few accounts.
But hackers have an even more dangerous tool at their disposal. It's called a Dictionary Attack. Its named that because it started as a list of every word in the dictionary. They would run a script that would attempt to log in to your account over and over systematically trying each word in the list for your password. If your password was one of the words in that list, eventually they would get in.
But wouldn't that take forever? No. The nice thing about computers is that they are fast and continue to get faster. This dictionary attack script can run through thousands (or even tens of thousands) of attempts every second! At this rate, their list no longer need be restricted to actual words. They can test every combination of lowercase letters, uppercase letters, numbers and special characters. Obviously, the longer the password, the longer it will take to crack it. But if you can leave this script running for hours (or days or weeks or longer) it will eventually break any password.
How Do You Stop It?
Servers have the ability to password protect files and directories and furthermore have the ability to detect when someone is denied access to one of these files or directories because they have entered an invalid password. They can even disable an account automatically after a set number of failed attempts.
So What's The Problem?
This only works on file and directory access. When you are logging in to most sites, you aren't using a password to access a particular file or password. You are attempting to authenticate yourself as a user. This isn't handled by the server so failed attempts aren't monitored by the server. Instead they are handled by the software package you are attempting to log in to.
So Why Doesn't The Software Monitor These Attempts?
That's a good question! Every package that uses a login system should have a monitoring system as well. WordPress (the software used to maintain this blog) does not have monitoring built in. However, there is a third-party add-on available that adds in that functionality.
I've added it in and it is currently active.
What Does That Mean For Users?
If there are five consecutive failed attempts to login to any one account, that account will automatically be disabled. Any further attempts to login to that account will fail and the user will receive a message that the account is disabled.
What Do I Do If My Account Becomes Disabled?
That's easy! Click on the "Forgotten Password" link. An email message will be sent to the address stored for that account. When you receive that email, click on the link in the message. That will let the system know that you are the one that requested a new password. A new password will be generated and emailed to you immediately. Also, your account will be reactivated.
This isn't 100% effective but for all practical purposes, this site should be all but invulnerable to dictionary attacks now.