It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
timppu: That occurred to me as Snowden mentioned in that video that a normal 8-digit password can be brute-forced in less than a second. I presume he was referring to a case where you have a whole username/password database in your own possession, not when trying to repeatedly log in to someone's account on some website with a bot script?
Common passwords and the most often used characters and combinations...

But most likely breaking passwords is a lot faster and simpler if you have the checksum/hash result and then brute force converting to the hash... Actually there's a good video on breaking 400,000 passwords which they talk in detail of how they do it.

https://www.youtube.com/watch?v=0WPny7wk960
avatar
real.geizterfahr: I hope (and think) we're talking about people trying to log in on GOG.com, because there's no "brute force safe" password if someone has a local copy of the database. Modern CPUs wouldn't need a lot of time to throw a dictionary at our accounts if there's no slow server in their way.
If the passwords are well salted and hashed even a copy of the database won't help you if the users have at least half safe passwords.
avatar
real.geizterfahr: I hope (and think) we're talking about people trying to log in on GOG.com
Ok then, but doesn't GOG currently have some measures against repeated (failed) login attempts? Or was I merely dreaming seeing some such verification screen once coming when I logged into GOG.com? (I recall it was one of those where you had to select pictures with some item on them, but it might be I am confusing it to some other site's antibot verification...).

Hmm, should I try to log in repeatedly to GOG with a wrong password, to see it if comes again? Or then GOG.com freezes my account for too many failed logins.
avatar
timppu: Ok then, but doesn't GOG currently have some measures against repeated (failed) login attempts?
They have. That's why I think we're talking about people trying to brute force the passwords online.
avatar
timppu: By the way, when talking about these "brute force attacks", are people suggesting scripts trying to log in continuously to different GOG.com accounts, or hackers having an offline database with usernames and passwords, and trying to brute-force the passwords out of it?
avatar
real.geizterfahr: I hope (and think) we're talking about people trying to log in on GOG.com, because there's no "brute force safe" password if someone has a local copy of the database. Modern CPUs wouldn't need a lot of time to throw a dictionary at our accounts if there's no slow server in their way.
Do you really believe that the server is the only thing that protects your bank account?
http://arstechnica.com/security/2015/08/cracking-all-hacked-ashley-madison-passwords-could-take-a-lifetime/
avatar
timppu: Ok then, but doesn't GOG currently have some measures against repeated (failed) login attempts?
avatar
real.geizterfahr: They have. That's why I think we're talking about people trying to brute force the passwords online.
But wouldn't such anti-measures block such bot scripts from repeatedly trying to log in with different passwords? Or do those bots know how to bypass the verification?

Or then you mean something completely different with "brute force passwords online" than I do...
If it's a botnet that would be hard if the botnet has thousands of compromised PCs across the world. That's why they block your account when multiple log-in attempts takes place.

You don't have to worry too much, develop an easy way to generate secure passwords, use the classic pen & paper or use a password manager like keepass. Other than your bank account, I don't think anyone would waste the resources of a botnet for anything else.
avatar
timppu: But wouldn't such anti-measures block such bot scripts from repeatedly trying to log in with different passwords? Or do those bots know how to bypass the verification?
Depending on what the extra measures are, they may be useless...

Consider, some places add a 5-15 minute enforced delay before trying again after N password attempts. For a single account, this would kill bots for brute force cracking or going via a list; However they probably have several hundred or a few thousand id's. With hundreds of ID's, as soon as they hit their limit, they move onto the next one with the same passwords, and by the time they come back around that time limit is up. If it's linked to an IP address, having several bots hitting the account each IP may get blocked for 5-15 minutes. If it's cookie related (for the counter of how many attempts have been made), simply clearing the cookie would let them continue. If an IP can only make 3-5 attempts per 5-15 minutes on any account period, then simply using another proxy would give them another IP they could work with for another 3-5 attempts.

Assuming the weak passwords are within a predetermined list of say 10,000 weak passwords, at 1 attempt per second, you'd break it within 7 days.... It merely comes down to how many bots and how the deterrent is set up.

I'm reminded back when i had a open FTP server, with two accounts... anonymous where i could put files i'd share with anyone and everyone, even if they were silly or utilities... and a private account. Someone found my FTP server and every second was hitting it with 1-2 password attempts on an account name that didn't exist (administrator). Some of the passwords attempted were very interesting...
avatar
OlivawR: or use a password manager like keepass.
I remember using a password manager once.. I had a master password that it used to generate and encrypt new hashes from, and then when i needed a new password i clicked on it and it would generate the next one. I could even customize what letters were allowed by the password field making it very customizable... Good for when i needed unique passwords every month for a business account...
Post edited September 09, 2015 by rtcvb32
I'm more surprised than nobody used their username as password XD
avatar
timppu: But wouldn't such anti-measures block such bot scripts from repeatedly trying to log in with different passwords? Or do those bots know how to bypass the verification?

Or then you mean something completely different with "brute force passwords online" than I do...
I mean that it takes a lot of time to load the login pop up and to wait for a response from the server every time you try the next password, compared to an offlne copy of the database where everything happens on the same computer. I have no idea how hackers deal with captcha and Co.

avatar
OlivawR: Do you really believe that the server is the only thing that protects your bank account?
http://arstechnica.com/security/2015/08/cracking-all-hacked-ashley-madison-passwords-could-take-a-lifetime/
No, I don't. But good luck taking over 4000 accounts in 5 days when you have to deal with server response time on every single try. Read the "25-GPU cluster cracks every standard Windows password in <6 hours" article (linked on the site you linked) to see what I mean.
A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second.
You won't even get 1 guess per second when you try this on GOG's website ;) A slow server is the best protection against brute force cracking, because there's no "brute force".

A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second.
avatar
real.geizterfahr: You won't even get 1 guess per second when you try this on GOG's website ;) A slow server is the best protection against brute force cracking, because there's no "brute force".
Brute force is always the last resort. That's why you don't brute force. To brute force a 8 character password, 8bits each making a 64bit result, would be 2[sup]64[/sup] combinations, or 256[sup]8[/sup]; But since we tend to use a small subset of those (10 digits, 26 lowercase, 26 uppercase, 16 symbols) takes it to 78, so 78[sup]8[/sup], or about 2[sup]51[/sup], which is 13 bits smaller (16,000x smaller).

However even that is a huge undertaking... In comparison if you know people tend to use words, there's like 78,000 english words in the dictionary that you could go through. Someone had an image of an example of how many combinations/bits it takes to break a password, the donkey always right password...

http://www.explainxkcd.com/wiki/images/6/6a/password_strength.png
But that beauty with 25 GPUs it's still slow against bcrypt. If they had done that against the AM database, which is using it, they would need to kickstart the electricity bill.
avatar
OlivawR: But that beauty with 25 GPUs it's still slow against bcrypt. If they had done that against the AM database, which is using it, they would need to kickstart the electricity bill.
Not sure if that matters... Weak passwords will break faster. If BCrypt is too much trouble, then simply working a large number of hashes of the weakest ones will still yield a result. Now if that login can lead you to root access....

Hmmm i wonder... if someone was hacking it and it appeared to be too much trouble to hack, they could just randomize all the password fields, then let them deal with possibly floods of people who can't log in... and maybe randomize other data too..
goddamnmotherfuckingshitsonofabitch

Hey, it showed my password
Post edited September 09, 2015 by OldFatGuy
avatar
rtcvb32: Someone had an image of an example of how many combinations/bits it takes to break a password, the donkey always right password...

http://www.explainxkcd.com/wiki/images/6/6a/password_strength.png
Yupp. That's exactly what I meant earlier when I said that I love sites where you can set stuff like R2D2AndC3POAreMyFavoriteDroids!HaveFunHackingThis! as your password. Dictionaries are useless there and brute forcing it is pretty much impossible. Sadly there are quite some websites who tell you that your password is too long if you use more than 12 or 16 characters (I even saw a 10 character limit once) -.-