Tech Q&A: Here’s what hackers do to get past password attempt limits, and what you can do to safeguard your computer

Question: Many password-protected websites give you a few chances to type in your password correctly, then lock you out if you type the wrong thing. You then must type in a code or answer a “secret question” to prove who you are.

So why do I see TV shows in which smart criminals use a computer to test, say, 10,000 passwords a minute until they get the right one to break into a website? Why aren’t the criminals locked out after a few wrong passwords? — J.R., Lakeland, Fla.

Answer: The TV shows are less far-fetched than you might think.

The scenario you’re describing is called a “brute force” attack. A computer connects to a web server and rapidly tries a long list of possible passwords until it hits the right one. A real brute force attack would require about two hours to crack an eight-character password composed of letters (upper and lower case), numbers and special characters (see

How would the attackers avoid being locked out during those two hours? Sophisticated hackers could disable the server’s “intrusion detection system,” or its automatic “password attempt limit” (which normally locks a person out after a few wrong tries).

But because brute force attacks require some expertise, they’re less common than a simpler threat called a “dictionary attack.” The “dictionary” is a short list of common passwords that a computer can try in much less than two hours. These attacks succeed when people use simple passwords, such as “password” and “123456,” which take fractions of a second to crack.

While it’s hard to believe that people use such vulnerable passwords, here’s an interesting fact: The 2019 attack on Texas IT company SolarWinds, which allowed hackers to spy on the federal government, may have been caused by an employee who used the server password “solarwinds123.” And, based on information from other data breaches, here’s a list of the most common passwords of 2020, how often they were hacked and how little time it took (see The password list includes “abc123,” “111111” and “iloveyou.”

The best defense against brute force and dictionary attacks is to use a password that is a long combination of letters, numbers and symbols that would be meaningless to anyone but you. These so-called “nonpredictable passwords” are far more difficult to hack.

Question: I keep getting a Windows 10 message that’s supposed to be from Microsoft — but I wonder if it’s a scam. It reads: “We need to fix your Microsoft account (most likely your password changed). Select here to fix it in shared experiences settings.” Are you familiar with this? — P.G., Golden Valley, Minn.

Answer: It’s a legitimate Microsoft warning, but it’s being triggered by a Windows 10 error. Several fixes have been suggested:

Disable your PC’s “share across devices” feature, which makes it easy to exchange data with other computers and phones. (See the “settings app” method at

If you are logging into Windows 10 with your online Microsoft account password, switch to a “local” account that doesn’t depend on your online identity (see

Make sure your PC is a “trusted device” that’s listed in your Microsoft account (see