When an attacker believes that their target does not use secure passwords, they can use tools that compare the digest of the target’s password to any of the precompiled lists containing the digests of the most commonly used passwords.
Question: what happens under the hood (hardware and software) when the attacker knows that their target does use secure passwords, possibly using a password manager to deploy passwords of, let’s say, 30 characters, whose digests do not occur on those precompiled lists? Do they “simply” have the computer brute force every permutation? For a 30 char passwd using all the upper and lower case characters on an “English” keyboard (a-Z, 0-9, ~ - ?) (94 total), that would entail running 94ˆ30 permutations.
Am I missing something?
Thanks! The answer I take with me from this, in regards to my question, is: an attacker wouldn’t try to brute force secure passwords because of hardware limitations and that, typically, only insecure passwords are valuable targets for brute force attacks. Also, that going after information that is not viable for brute forcing requires social engineering.
If the hardware is too slow or expensive, there’s always the $5 wrench method.
They haven’t covered it in my IT class yet. Maybe it’s a fall semester thing.
Also, a lot of online logins have a cool down after an incorrect attempt, too many failed attempts and the account may lock from anywhere to a few mins (M$ is iirc 5 or 10 mins by default after 3 fails) to permanently locked
You’re on a right track. But there’s a ton of variance, for example poorly built systems (used even today) store passwords in plaintext, so then it doesn’t matter how complex your password is, it can still be used as a ‘seed’ to crack better protected databases. And properly salted+hashed database doesn’t have any indication which password is poor and which is strong, so (at least I assume so) attackers just keep their algorithms running for however many hours they think is needed/worth the time and just stop processing once they have sufficient payout of the attack.
For example, without salting and using md5 hash ‘password’ gives hash ‘286755fad04869ca523320acce0dc6a4’. Using randomly generated 55 character password gives hash ‘d1006257a2b09c76bcba82f209650056’. So, just a database with hashed passwords alone doesn’t give you any information if the password is strong or weak.
Thanks! Great insight! Yeah, I didn’t mean to say that the attacker knows the characteristics of the target’s passwords. I meant to say, “let’s assume that the attackers assumes…” Why any attacker every would assume anything is beyond the point, since I guess they wouldn’t, haha. I’m sure seasoned hackers are methodical and empirical in their conquests.