Well, that's my question. Does anyone chain together several million zombie PCs, all to attack one computer account, and, if so, is it effective given the measure put in place to shut down accounts with multiple bad password guesses? It's a serious question, does this really happen? With half a million PCs working nonstop, it'd take 3/4 of a million years to crack my "insecure" password.
My guess is that social engineering is the usual path: emails stating "oh noes! your account has been compromised, log onto our website with this handy link and enter your password now!!!!"
And, oh ya, the waiter stealing my credit card number when he runs my bill.
edit: it would also be my guess that the zombie pcs are attacking things like Amazon servers and the like, where there are several million CC# for the taking, rather than my bank account with a few digits worth of cash in it.
No, no no. Usually, attempts to brute-force a password are not done directly on a service (say, for example, Amazon, or a credit card site). Those are protected with timeouts, logs, etc. And few try to directly attack an end-users computer via password compromise because the amount of traffic needed to do an over-the-'net brute forcing would be all too noticable to the ISPs handling the traffic, not to mention the fact that you never know when you're either hitting a computer that is indeed protected with strong passwords, or walking right into a
honeypot.
No, the largest number of "hacks" are indeed social, just like you think, and they don't involve compromising a password on a computer at all. But when you exclude those, many of the rest of the attacks that occur concentrate on operating system vulnerabilities, not password compromises (that, BTW, is part of the reason why Windows is always bugging you to install updates; a good chunk of those are security fixes). Once in on a computer,
then they rip off the password (actually, the password hash), and it's only
after that when they try to break it using a distributed network.
So why break the password of a computer you've already broken into? Because there's a damn good chance that password is used elsewhere, that's why. Or uses information that can be used to narrow down a further compromise elsewhere. This is especially true if the computer is on a managed network (like an Active Directory) and the system uses a single-sign on for other resources; one password, multiple resources.
So anyway, instead of bouncing off of the security setup, malicious intruders simply use the username, enter the cracked password, and they're in. You never actually try to work on the "lock" i.e. the password right at the point a user enters it. You steal the "key", i.e. the stored, encrypted form of the password, then you crack it so you can use that newly cracked key at all the locks it's used at without being noticed.
That's one way to do it. But the point is that malicious intruders know better than to attack the system or computer directly. That sets off too many alarms. No, the key for them is to steal the password and crack it in a way that doesn't alert the systems the password allows access to that it's being worked on.
