Stupid password rules
- Thread starter UberTiger
- Start date
Soldato
The common scenario is a leaked database in which case they aren't trying to brute force one individual. Rather they are trying billions of combinations and seeing if any of the hashed or encrypted passwords match. When they do, add that user to the pile. That's why it's so important that organizations properly secure the passwords in their databases. As mrbell says, brute forcing through the normal log in front-end is usually not possible because it's super-slow and implements a lock out every X failed attempts.
Not that I'm saying there are never targeted attacks to brute force specific individual's passwords. But you usually need the stolen database records to do this. Hence spear phishing which attempts to trick the targeted user into revealing the credentials. You'd be amazed at what the Chinese will do to pursue a valued target. Days spent researching them online, impersonating friends, going through entire social media histories, all to get a complete file of useful information - old pets, ex girlfriends, where they went to school, list of friends to impersonate. If you're worth someone's while, then a few days searching and profiling you is nothing. Those "Where did you go to school" and "Mother's Maiden Name" security questions? I hate them. Lie, always lie!
Possibly pointless fighting over terminology but it is still a brute force attack. If it contains hashes (hopefully not) or encrypted passwords (hopefully yes), then you're running through billions of iterations trying to find what matches and that's what brute forcing is. It doesn't only apply to trying to do that through the front-end.
Last edited:
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,707
Well a leaked database is a big breach not 1 password that's been brute forced. Completely different kind of security issues there if that happens.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,707
My information is all fake when it comes to that stuff. That kind of security shouldn't be used. Remember MSN Messenger password resets? It was exactly that. Guessable information.
I always assumed it was some government initiative to make gaining entry to people's accounts 1000x easier for them
Those security questions - if answered with correct details - make your accounts much much less secure. I hope most people can see that a mile off.
Soldato
I think you've misread or misunderstood the post.
He was talking about performing a brute force attack against an encrypted password in a leaked database (eg removing the front-end limitations of speed, limit on incorrect tries, etc) and then when discovered, using that password against other sites where that user might have an account.
Pass phrases are OK, people misunderstand that XKCD comic... an easy to remember long passphrase is fine. It doesn't have to be 4 words, you could use 5 or 6 if you like.
One point people tend to miss is the use of random words, see for example the blog post below:
Now that blog post gives examples like: "iloveyousomuch" and "i hate hackers" etc.. those clearly aren't random words.
Man of Honour
Who cares what the password is if you have 2 factor auth?
Every service on the planet should have 2fa in 2019.
Or as Google is currently working on, eliminate the password altogether and rely on biometrics/localised password store for one password to rule the all for logins into websites/services/apps etc.
Every service on the planet should have 2fa in 2019.
Or as Google is currently working on, eliminate the password altogether and rely on biometrics/localised password store for one password to rule the all for logins into websites/services/apps etc.
In fairness that does depend on if the cracker is using basic characters or full set. I.E if it's only using basic char set (lower case + upper case + numbers) then 10whitechurchlane will be cracked extremely easily compared to how long it takes a cracker running extended set to crack 1@£hUb833_
Not that it matters either way, it's not 1997 and brute force attacks on login servers simply don't work anymore (unless it's an NT server 4.0 machine or something...) as the server will blacklist the IP after a handful of attempts.
People who hate 2fa?
Seriously why should I have to have that nonsense wasting my time just because some other people need their hands holding when using the internet? >.>
Soldato
Is Lastpass still a decent password manager to use? I'd be willing to pay for a decent app if required.
Soldato
I'm still vary of longer passwords. I remember cPanel years ago only recognising the first 8 letters of a password. So if you had set a password with 12 letters you could still log in by only entering the first 8 letters.
Soldato
Arbitrary password schemes annoy me.
At work we use a single sign on system, so the password requires that you must have a capital, a symbol, a number (fairly standard) but it must begin and end with a letter. Everyone I've spoke to gets around this by chucking an "a" at the end of whichever password they've chosen. When the 90 day refresh rolls around they just change "a" to "b" and keep the same password
Sounds like GE SSO, I also change the last letter of mine every time.
Soldato
This is a great move, surely it could be implemented with a USB device for PCs? Most phones and tablets can read a fingerprint already and I log in to a few apps with it. If it's secure enough for the bank, then surely fingerprint technology is secure enough for Amazon etc..?
Passwords should be extinct soon.
NatWest trials fingerprint debit cards to remove £30 limit
https://www.theguardian.com/money/2...s-fingerprint-debit-cards-to-remove-30-limit?
Passwords should be extinct soon.
NatWest trials fingerprint debit cards to remove £30 limit
https://www.theguardian.com/money/2...s-fingerprint-debit-cards-to-remove-30-limit?
Apple Pay (and/or similar) already solves this issue, though some retailers like Tesco etc.. kept the £30 limit in place. Hopefully that will be changing in future.
