Q: Many password-protected websites give you a few chances to type in your password correctly, then lock you out if you type the wrong thing. You then must type in a code or answer a "secret question" to prove who you are.

So why do I see TV shows in which smart criminals use a computer to test, say, 10,000 passwords a minute until they get the right one to break into a website? Why aren't the criminals locked out after a few wrong passwords?


A: The TV shows are less far-fetched than you might think.

The scenario you're describing is called a "brute force" attack. A computer connects to a web server and rapidly tries a long list of possible passwords until it hits the right one. A real brute force attack would require about two hours to crack an eight-character password composed of letters (upper and lower case), numbers and special characters (see tinyurl.com/4r2debx3).

How would the attackers avoid being locked out during those two hours? Sophisticated hackers could disable the server's "intrusion detection system," or its automatic "password attempt limit" (which normally locks a person out after a few wrong tries).

But because brute force attacks require some expertise, they're less common than a simpler threat called a "dictionary attack." The "dictionary" is a short list of common passwords that a computer can try in much less than two hours. These attacks succeed when people use simple passwords, such as "password" and "123456," which take fractions of a second to crack.

While it's hard to believe that people still use such vulnerable passwords, here's an interesting fact: The 2019 attack on Texas IT company SolarWinds, a federal contractor, revealed that an employee used the password "solarwinds123" to access a server. A Congressional investigation criticized the use of such simple passwords, but the company determined the password was not the vehicle of the attack.

And, based on information from other data breaches, here's a list of the most common passwords of 2020, how often they were hacked and how little time it took (see tinyurl.com/zu2ekpdt). The password list includes "abc123," "111111" and "iloveyou."

The best defense against brute force and dictionary attacks is to use a password that is a long combination of letters, numbers and symbols that would be meaningless to anyone but you. These so-called "nonpredictable passwords" are far more difficult to hack.

Q: I keep getting a Windows 10 message that's supposed to be from Microsoft — but I wonder if it's a scam. It reads: "We need to fix your Microsoft account (most likely your password changed). Select here to fix it in shared experiences settings." Are you familiar with this?

PIERRE GIRARD, Golden Valley

A: It's a legitimate Microsoft warning, but it's being triggered by a Windows 10 error. Several fixes have been suggested:

  • Disable your PC's "share across devices" feature, which makes it easy to exchange data with other computers and phones. (See the "settings app" method at tinyurl.com/3dknadj3.)
  • If you are logging into Windows 10 with your online Microsoft account password, switch to a "local" account that doesn't depend on your online identity (see tinyurl.com/act82bu4).
  • Make sure your PC is a "trusted device" that's listed in your Microsoft account (see tinyurl.com/sykz6wzk).

E-mail tech questions to steve.j.alexander@gmail.com or writer to Tech Q&A, 650 3rd Av. S., Suite 1300, Minneapolis, MN 55488. Include name, city and telephone number.

Correction: Clarification: This column was updated to note that the simple password used by an employee at the Solar Winds IT company was determined not to have been the route of a 2019 cyberattack on it.