If someone (call him Dave) chooses a weak password for a website, say one of many thousands of easily hacked passwords like “123454321AbC” how is a a hacker able to access the Dave’s account on the site?
Because there are a LOT of weak passwords. Why wouldn’t relative obscurity save this user if the website adopted a simple, well-known process in which, say, 4 wrong entries of a password disables the account until a user manually calls in and verifies, and in this way a hacker would never have the opportunity to go through the very large set of weak passwords for Dave?
In: 0
Most sites use an email address as username. Chances are Dave reuses passwords, so the attacker can use an existing database of leaked passwords to try if they know he uses that website. There have been many breaches and millions of passwords are known.
Let’s say a site has its user/pass database hashed so you can’t decode the password, but they didn’t salt the hash or made a poor choice of algo. It then leaks. You can then hash the public list of plaintext passwords and compare with the leaked data, this is much faster than trying to brute force the hashes, with a modern GPU it wouldn’t take long.
Latest Answers