Reading mode: Light Dark

Brute force password cracking

Go to last post
S

skyglider

Veteran Member
Messages
7,279
Solutions
21
Reaction score
2,010
Location
US
I've read that using brute force methods, the cracker could have a computer try hundreds of thousands, if not millions of combinations and crack a password. The time to do that is calculated by taking the number of possible combinations and the speed of the computer.

But that doesn't make sense to me. If someone gave the cracker the actual password and he set it as THE PASSWORD TO MATCH in his computer, then had his program try all possible combinations until there was a match, then the time it takes to crack the password would be what they said.

But in actual practice, say the cracker tried a brute force method against my bank. Wouldn't his computer have to try password-1 and have the bank's computer accept or reject it. Then try password-2, etc, etc. This could only proceed at the speed of the bank's online system and line speed. So it seems to me that the brute force software could not run faster than the bank's system and line speed. ---- Plus, wouldn't the bank stop accepting passwords due to too many being tried?

This is not even mentioning that the cracker needs to know the username to even try to crack the password.

What am I over looking in my thinking?
 
Last edited:
Solution
Billiam29
I’m no security expert by any means, but here is the overall impression I currently have.

Brute force attacking is used when a database/file with usernames and passwords is stolen from a web site or system that has been compromised at the administrative level. The password values stored within the database are (hopefully) encrypted in some form or another.

The brute forcing isn’t interactive attempts to gain access to the web site. It is attempts using different combinations of encryption methods and “seed” values to see if they produce the same encrypted value stored in the database. If they do, then you can reverse the process to get the actual password and use it to go back the compromised system and interactively log into it...
skyglider said:
I've read that using brute force methods, the cracker could have a computer try hundreds of thousands, if not millions of combinations and crack a password. The time to do that is calculated by taking the number of possible combinations and the speed of the computer.

But that doesn't make sense to me. If someone gave the cracker the actual password and he set it as THE PASSWORD TO MATCH in his computer, then had his program try all possible combinations until there was a match, then the time it takes to crack the password would be what they said.

But in actual practice, say the cracker tried a brute force method against my bank. Wouldn't his computer have to try password-1 and have the bank's computer accept or reject it. Then try password-2, etc, etc. This could only proceed at the speed of the bank's online system and line speed. So it seems to me that the brute force software could not run faster than the bank's system and line speed. ---- Plus, wouldn't the bank stop accepting passwords due to too many being tried?

This is not even mentioning that the cracker needs to know the username to even try to crack the password.

What am I over looking in my thinking?
Click to expand...
The banks and financial institutions I'm familiar with lock out after 3 false entries, brute force won't work AFAIK, the ID & PW is needed.

Keyloggers used to be one of the more common ways to get users IDs & passwords. Other types of malware will install on a user's computer and search for login credentials. There are increasing protections against them, i.e. 2 factor authentication when a device from a different IP address attempts to login, etc.

In a somewhat related area, accessing a bank via an open wifi connection, i.e. coffee shop, airport, etc. without a VPN can lead to a "man in the middle" compromise - a nearby hacker sets up a free, open wifi hotspot and names it something a user might believe is OK to connect to. The hacker loads a few look alike bank webpages and collects the logins when the user connects to the hackers wifi hotspot and thinks he's loging into his bank.


Cheers,
Doug
 
Brute force crackers work best when you have the resulting hash of the password. Everything is done locally on the cracker's machine. In your example, that wouldn't work.

Another method is to distribute across several thousand accounts. The concept is the only thing that matters is the number of attempts, and you'll eventually get in to one of them. Why limit yourself to a single account?
 
I’m no security expert by any means, but here is the overall impression I currently have.

Brute force attacking is used when a database/file with usernames and passwords is stolen from a web site or system that has been compromised at the administrative level. The password values stored within the database are (hopefully) encrypted in some form or another.

The brute forcing isn’t interactive attempts to gain access to the web site. It is attempts using different combinations of encryption methods and “seed” values to see if they produce the same encrypted value stored in the database. If they do, then you can reverse the process to get the actual password and use it to go back the compromised system and interactively log into it. Taking it further, the process is repeated to see if a mathematical relationship can be found in the “seed” values that are successful. If so, then that could be applied to decrypt all of the passwords in the database and make it a candidate to be sold on the dark web.

Again, I am by no means a security or encryption expert. It’s about 80% certain that the specifics of what I typed above are wrong or woefully incomplete. I also completely ignored usernames and the possibility of those being encrypted. Hopefully though, the concepts I was trying to convey came across.
 
Solution
I definitely know of the term ‘salt’ and have seen it used many times. I honestly just wasn’t sure if it was the correct term for what I was trying to convey. Thanks for helping to confirm.
 
brn said:
tcg550 said:
As long as they don't try 123456 first I'm safe.
Click to expand...
I mix numbers and letters. No one will ever guess "password1".
Click to expand...
I logged into my state's treasury department today to file quarterly returns for my business. I only log in once per quarter, they make me change the password every time and the new password can't contain any part of the old password.

I just reverse the old password and they accept it. I guess they weren't serious about reusing any part of the old password.

What a pain in the behind.
 
Billiam29 said:
I’m no security expert by any means, but here is the overall impression I currently have.

Brute force attacking is used when a database/file with usernames and passwords is stolen from a web site or system that has been compromised at the administrative level. The password values stored within the database are (hopefully) encrypted in some form or another.

The brute forcing isn’t interactive attempts to gain access to the web site. It is attempts using different combinations of encryption methods and “seed” values to see if they produce the same encrypted value stored in the database. If they do, then you can reverse the process to get the actual password and use it to go back the compromised system and interactively log into it. Taking it further, the process is repeated to see if a mathematical relationship can be found in the “seed” values that are successful. If so, then that could be applied to decrypt all of the passwords in the database and make it a candidate to be sold on the dark web.

Again, I am by no means a security or encryption expert. It’s about 80% certain that the specifics of what I typed above are wrong or woefully incomplete. I also completely ignored usernames and the possibility of those being encrypted. Hopefully though, the concepts I was trying to convey came across.
Click to expand...
Hi Billiam29,

Thanks for your explanation. Now I understand how brute force cracking works.

So if a person, (say Tom), uses both a master password and a keyfile, then the cracker would have to gain access to Tom's computer and be able to find and extract the keyfile in order to brute force crack Tom's database?

Trying to figure out the angles,
Sky
 
tcg550 said:
brn said:
tcg550 said:
As long as they don't try 123456 first I'm safe.
Click to expand...
I mix numbers and letters. No one will ever guess "password1".
Click to expand...
I logged into my state's treasury department today to file quarterly returns for my business. I only log in once per quarter, they make me change the password every time and the new password can't contain any part of the old password.

I just reverse the old password and they accept it. I guess they weren't serious about reusing any part of the old password.

What a pain in the behind.
Click to expand...
The UK tax filing system requires two-factor authentication. If you haven't logged in for a week, you have to have a second access mechanism, preferably a mobile phone, and it sends you a short-lived code to enter. Of course, if someone steals your laptop and your phone...
 
Which generally banks do have, usually consists of 2 factor authentication and 3 failed attempts lockout, which pretty much removes the threat of brute force attacks. Poor security is using the same password for multiple accounts and using simple passwords. Most people are compromised by their own bad habits and poor security practices,if you follow some basic rules you will be fine, there's so much low hanging fruit that if you are sensible you should be OK.

However, for me, the real threat is companies data-mining your own systems. Google and Microsoft in particular. A huge problem is the insider threat, where a disgruntled employee releases or sells on security information or databases in large organisations. We've seen this happen many times. If you're putting all your eggs in one basket you're totally relying on their security. Organised crime will pay well for access to such information, as will foreign intelligence services. Brute force attacks are crude and unsophisticated and aren't really the real threat these days, social engineering is where you need to be vigilant, involving blackmail and bribery.
 
Simon Garrett said:
tcg550 said:
brn said:
tcg550 said:
As long as they don't try 123456 first I'm safe.
Click to expand...
I mix numbers and letters. No one will ever guess "password1".
Click to expand...
I logged into my state's treasury department today to file quarterly returns for my business. I only log in once per quarter, they make me change the password every time and the new password can't contain any part of the old password.

I just reverse the old password and they accept it. I guess they weren't serious about reusing any part of the old password.

What a pain in the behind.
Click to expand...
The UK tax filing system requires two-factor authentication. If you haven't logged in for a week, you have to have a second access mechanism, preferably a mobile phone, and it sends you a short-lived code to enter. Of course, if someone steals your laptop and your phone...
Click to expand...
They'd have to steal my thumb along with the phone.
 
I'll tell any hacker now that my password is **********. Thus must be correct since that what the computer says.
 
Austinian said:
Greybeard2017 said:
Sean Nelson said:
Greybeard2017 said:
They'd have to steal my thumb along with the phone.
Click to expand...
I'm not sure how much faith I'd place in the bet that there are no back doors into your phone...
Click to expand...
I'll take my chances that the average thief in this area won't know how to open them - even if they exists - which I doubt
Click to expand...
Unfortunately, thieves know how to search the Internet too.
Click to expand...
Then they would know that there are no back doors
 
Greybeard2017 said:
Austinian said:
Greybeard2017 said:
Sean Nelson said:
Greybeard2017 said:
They'd have to steal my thumb along with the phone.
Click to expand...
I'm not sure how much faith I'd place in the bet that there are no back doors into your phone...
Click to expand...
I'll take my chances that the average thief in this area won't know how to open them - even if they exists - which I doubt
Click to expand...
Unfortunately, thieves know how to search the Internet too.
Click to expand...
Then they would know that there are no back doors
Click to expand...
"I'm not sure how much faith I'd place in the bet that there are no back doors into your phone..."

Me either. That must be an unusual phone. Good luck in any case.
 
Austinian said:
Greybeard2017 said:
Austinian said:
Greybeard2017 said:
Sean Nelson said:
Greybeard2017 said:
They'd have to steal my thumb along with the phone.
Click to expand...
I'm not sure how much faith I'd place in the bet that there are no back doors into your phone...
Click to expand...
I'll take my chances that the average thief in this area won't know how to open them - even if they exists - which I doubt
Click to expand...
Unfortunately, thieves know how to search the Internet too.
Click to expand...
Then they would know that there are no back doors
Click to expand...
"I'm not sure how much faith I'd place in the bet that there are no back doors into your phone..."

Me either. That must be an unusual phone. Good luck in any case.
Click to expand...
Maybe you’d like to share the link that the average thief in my area could find on the internet that would allow him backdoor access into my phone.
 
You must log in or register to reply here.

Keyboard shortcuts

f
Forum
m
My threads
Mobile site
About
Editorial content
Cameras & Lenses
Community
All content, design, and layout are Copyright © 1998–2025 Digital Photography Review All Rights Reserved.
Reproduction in whole or part in any form or medium without specific written permission is prohibited.
When you use DPReview links to buy products, the site may earn a commission.
©GPS Media - Guides, Products, Services.
Back
Top