6
Cracking passwords (piefed.blahaj.zone)
submitted 3 weeks ago by akunohana@piefed.blahaj.zone to c/techsupport@lemmy.world
9 comments fedilink hide all child comments

When an attacker believes that their target does not use secure passwords, they can use tools that compare the digest of the target's password to any of the precompiled lists containing the digests of the most commonly used passwords.

Question: what happens under the hood (hardware and software) when the attacker knows that their target does use secure passwords, possibly using a password manager to deploy passwords of, let's say, 30 characters, whose digests do not occur on those precompiled lists? Do they "simply" have the computer brute force every permutation? For a 30 char passwd using all the upper and lower case characters on an "English" keyboard (a-Z, 0-9, ~ - ?) (94 total), that would entail running 94ˆ30 permutations.

Am I missing something?

top 9 comments
sorted by: hot top new old
[-] IsoKiero@sopuli.xyz 8 points 3 weeks ago

Generally, at least in somewhat decently set up systems, attacker has no way to know if the password was 4 or 40 characters long. Also, in general, attacker can't just try every possible password, as it would just take too long. With short passwords (and limited set of characters) it's possible, but with tens of characters it's just not going to happen.

Additionally, if the system is built even half competently, passwords are stored in a database in hashes and with a salt, so if your password is 'hunter2' the value in database would be something like 'supersecretsalt+hunter2' (trough hash-function obviously), so you can't just take rainbow tables and compare them directly.

Now, if the attacker has the salt then they can build their own tables with known passwords and see what matches or in some cases they can reverse engineer the salt out of the system and proceed with "normal" approach. Or, depending on the breach, they might have access to the password verification functions and they can just override rate limits and other stuff and brute force accounts locally and then exploit them at the real world.

There's a ton of nuances on this and I'm not an expert by any stretch, but in general if you use sufficiently long passwords (preferably with a password manager) there's no way to brute force your password with current technology. But, since there's 'a few' breached passwords around the net, it means in practise that not all systems are built securely and their vulnerabilities are used to get account information, passwords included. Also malware, phishing and other means are possible when gathering login info.

With a new data breach attackers might just be happy that they can break 20% (or whatever) of the passwords and use them as they see fit and just ignore the rest as it's not really worth the time to try and break them all. And if they are interested in some spesific account then there's other ways, like phishing or social engineering, to build attacks targeted on that spesific individual.

[-] akunohana@piefed.blahaj.zone 4 points 3 weeks ago

Thanks! The answer I take with me from this, in regards to my question, is: an attacker wouldn't try to brute force secure passwords because of hardware limitations and that, typically, only insecure passwords are valuable targets for brute force attacks. Also, that going after information that is not viable for brute forcing requires social engineering.

[-] betterdeadthanreddit@lemmy.world 6 points 3 weeks ago

If the hardware is too slow or expensive, there's always the $5 wrench method.

[-] akunohana@piefed.blahaj.zone 5 points 3 weeks ago

They haven't covered it in my IT class yet. Maybe it's a fall semester thing.

[-] IsoKiero@sopuli.xyz 2 points 3 weeks ago

You're on a right track. But there's a ton of variance, for example poorly built systems (used even today) store passwords in plaintext, so then it doesn't matter how complex your password is, it can still be used as a 'seed' to crack better protected databases. And properly salted+hashed database doesn't have any indication which password is poor and which is strong, so (at least I assume so) attackers just keep their algorithms running for however many hours they think is needed/worth the time and just stop processing once they have sufficient payout of the attack.

For example, without salting and using md5 hash 'password' gives hash '286755fad04869ca523320acce0dc6a4'. Using randomly generated 55 character password gives hash 'd1006257a2b09c76bcba82f209650056'. So, just a database with hashed passwords alone doesn't give you any information if the password is strong or weak.

[-] akunohana@piefed.blahaj.zone 2 points 3 weeks ago* (last edited 3 weeks ago)

Thanks! Great insight! Yeah, I didn't mean to say that the attacker knows the characteristics of the target's passwords. I meant to say, "let's assume that the attackers assumes..." Why any attacker every would assume anything is beyond the point, since I guess they wouldn't, haha. I'm sure seasoned hackers are methodical and empirical in their conquests.

[-] lost_faith@lemmy.ca 2 points 3 weeks ago

Also, a lot of online logins have a cool down after an incorrect attempt, too many failed attempts and the account may lock from anywhere to a few mins (M$ is iirc 5 or 10 mins by default after 3 fails) to permanently locked

[-] slazer2au@lemmy.world 4 points 3 weeks ago

The attacker could brute force it. Or they can make a phishing page to try and get the user to enter in their password.

  1. An attacker would get a similar enough looking domain and mimic the target login page using something like EvilNginx
  2. The attacker would send a fake email to the victim while looking as legit as possible. Saying something like too many login attempts have been detected, please use this URL to confirm your account, or your password is expiring please use this URL to update it. That sort of thing.
  3. The victim would click the URL going to the attackers login page and enter in their details.
  4. The attacker now has the valid login credentials.
[-] akunohana@piefed.blahaj.zone 2 points 3 weeks ago

Yeah, social engineering throws a lot of hardware and software hurdles out of the... Chassi.

this post was submitted on 29 Apr 2026
6 points (100.0% liked)

techsupport

3138 readers
2 users here now

The Lemmy community will help you with your tech problems and questions about anything here. Do not be shy, we will try to help you.

If something works or if you find a solution to your problem let us know it will be greatly apreciated.

Rules: instance rules + stay on topic

Partnered communities:

You Should Know

Reddit

Software gore

Recommendations

founded 2 years ago
MODERATORS
GatoB@lemmy.world