How do they manage to do it when some simple encryptions are going to take years and the really good one (theoretically) centuries. Which other mean do they use except brute forcing?
In: 20
It depends on what you want to break, but let’s go with user accounts for something.
The first thing you can do is brute force short passwords. I don’t remember where we’re at right now, but cracking 8 character passwords through bruteforce is pretty easy nowadays. It’s basically worth the effort since computational power has come a long way.
From there, you could use leaks from websites. Once you’ve got a database, say from a hack of some organization. There have been quite a few. If the business was stupid enough to store the data in plain text, you already have a head start. People tend to reuse passwords across accounts, same for user names.
You can also crack passwords if they take longer once you have the database. That leads to tables of most commonly used passwords that would be hard to crack quickly. There’s something called [rainbow tables](https://en.wikipedia.org/wiki/Rainbow_table) which makes the cracking a lot faster.
ETA: If you know what you want to hack, you can try something like “Bankname1234” chances are that some will use some scheme like that to remember the password. If a website gives you the rules for passwords like minimum 8 characters, must include a capital letter, at least one number, a special character from this list, and no spaces, you can go to town with likely guesses. The landscape has changed and even the person who wrote some of the early guidelines on passwords [regrets them](https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity)
Of course, if you can get the target to give up their credentials by phishing, spear phishing (targeted phishing), using malware like keyloggers or good ol’ social engineering, then you’re golden.
Password reuse also doesn’t help. There are too many damn password these days to remember them all, that includes workplaces too.
You can also see if some piece of equipment is still on default passwords. A classic is some piece of networking equipment still on the “admin”, “admin” credentials. It basically doesn’t hurt to try these.
Then, you have that one time a [French TV station showed the password on camera](https://www.bbc.com/news/world-europe-32248779). Sometimes, you just have to be at the right place at the right time…
Latest Answers