When an attacker believes that their target does not use secure passwords, they can use tools that compare the digest of the target’s password to any of the precompiled lists containing the digests of the most commonly used passwords.
Question: what happens under the hood (hardware and software) when the attacker knows that their target does use secure passwords, possibly using a password manager to deploy passwords of, let’s say, 30 characters, whose digests do not occur on those precompiled lists? Do they “simply” have the computer brute force every permutation? For a 30 char passwd using all the upper and lower case characters on an “English” keyboard (a-Z, 0-9, ~ - ?) (94 total), that would entail running 94ˆ30 permutations.
Am I missing something?
Thanks! Great insight! Yeah, I didn’t mean to say that the attacker knows the characteristics of the target’s passwords. I meant to say, “let’s assume that the attackers assumes…” Why any attacker every would assume anything is beyond the point, since I guess they wouldn’t, haha. I’m sure seasoned hackers are methodical and empirical in their conquests.