Password Bruteforcing Security

136 views

I keep seeing these charts that say 8 characters password can be brute forced in about a second, with more security if you add number, symbol, special characters. As a bilingual, how come we don’t add other language characters? And won’t most sites block your attempt if you are Bruteforcing. Many sites already lock you out after ‘suspicious attempts’ or have 2fa. I can’t even sign into my own password manager on another device while traveling even if I wanted to.

In: 0

9 Answers

Anonymous 0 Comments

Brute forcing of passwords isn’t carried out by trying to log in to the live system. The attackers have obtained a copy of the password database, and work on it directly.

Anonymous 0 Comments

Brute forcing of passwords isn’t carried out by trying to log in to the live system. The attackers have obtained a copy of the password database, and work on it directly.

Anonymous 0 Comments

Brute forcing of passwords isn’t carried out by trying to log in to the live system. The attackers have obtained a copy of the password database, and work on it directly.

Anonymous 0 Comments

First, you almost never run into “live” brute force attacks, in that someone is trying to brute force a password on the actual server. Instead the password database is exfiltrated by some other means, and the attack is run on the database data, attempting to match passwords to their hashed values.

It’s not guaranteed that the backend running the authentication knows how to parse extended character sets. One website might support the Unicode character set, another might support plain ASCII, another might do ISO/IEC 8859. So using non-Latin characters isn’t a good general suggestion because websites might not know what to do with it.

Anonymous 0 Comments

First, you almost never run into “live” brute force attacks, in that someone is trying to brute force a password on the actual server. Instead the password database is exfiltrated by some other means, and the attack is run on the database data, attempting to match passwords to their hashed values.

It’s not guaranteed that the backend running the authentication knows how to parse extended character sets. One website might support the Unicode character set, another might support plain ASCII, another might do ISO/IEC 8859. So using non-Latin characters isn’t a good general suggestion because websites might not know what to do with it.

Anonymous 0 Comments

First, you almost never run into “live” brute force attacks, in that someone is trying to brute force a password on the actual server. Instead the password database is exfiltrated by some other means, and the attack is run on the database data, attempting to match passwords to their hashed values.

It’s not guaranteed that the backend running the authentication knows how to parse extended character sets. One website might support the Unicode character set, another might support plain ASCII, another might do ISO/IEC 8859. So using non-Latin characters isn’t a good general suggestion because websites might not know what to do with it.

Anonymous 0 Comments

As already mentioned, a bruteforce attack is not executed against a live system, it is against password data obtained through other ways. (system breach, stolen backups, rogue administrators, …)

These charts are a simplification and the main message is that the strength of your password will be significantly better (exponentially even) if you make it longer or include special characters.

The biggest reason for using MFA/2FA is to protect against credential stuffing attacks.
[https://owasp.org/www-community/attacks/Credential_stuffing](https://owasp.org/www-community/attacks/Credential_stuffing)

With cloud systems the username is often an email address, meaning the same user potentially has the same username everywhere.
Psychologically users also prefer using the same password everywhere. This means that if a password is compromised once, from any of these services, it could lead to a compromise on any other system if MFA/2FA isn’t used.

Here is a view on the size of the problem of databreaches, including leaked passwords: [https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/#bysensitivity](https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/#bysensitivity)

Anonymous 0 Comments

As already mentioned, a bruteforce attack is not executed against a live system, it is against password data obtained through other ways. (system breach, stolen backups, rogue administrators, …)

These charts are a simplification and the main message is that the strength of your password will be significantly better (exponentially even) if you make it longer or include special characters.

The biggest reason for using MFA/2FA is to protect against credential stuffing attacks.
[https://owasp.org/www-community/attacks/Credential_stuffing](https://owasp.org/www-community/attacks/Credential_stuffing)

With cloud systems the username is often an email address, meaning the same user potentially has the same username everywhere.
Psychologically users also prefer using the same password everywhere. This means that if a password is compromised once, from any of these services, it could lead to a compromise on any other system if MFA/2FA isn’t used.

Here is a view on the size of the problem of databreaches, including leaked passwords: [https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/#bysensitivity](https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/#bysensitivity)

Anonymous 0 Comments

As already mentioned, a bruteforce attack is not executed against a live system, it is against password data obtained through other ways. (system breach, stolen backups, rogue administrators, …)

These charts are a simplification and the main message is that the strength of your password will be significantly better (exponentially even) if you make it longer or include special characters.

The biggest reason for using MFA/2FA is to protect against credential stuffing attacks.
[https://owasp.org/www-community/attacks/Credential_stuffing](https://owasp.org/www-community/attacks/Credential_stuffing)

With cloud systems the username is often an email address, meaning the same user potentially has the same username everywhere.
Psychologically users also prefer using the same password everywhere. This means that if a password is compromised once, from any of these services, it could lead to a compromise on any other system if MFA/2FA isn’t used.

Here is a view on the size of the problem of databreaches, including leaked passwords: [https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/#bysensitivity](https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/#bysensitivity)