Cybersecurity Question About Brute Force

[us3rnotfound]

How is it that hackers can brute force a password using dictionary lookup or whatever method they use? Most websites/applications will not allow a computer to sequentially try 5000 passwords/sec, they usually have slow response time and have a mechanism to stop you after 3-10 tries usually.

Or is it that, the hackers take all of the software on the server side to (the authentication software) and crack that, then they can talk to it very quickly and feed it a trillion passwords?

 

[unokitty]

How is it that hackers can brute force a password using dictionary lookup or whatever method they use? Most websites/applications will not allow a computer to sequentially try 5000 passwords/sec, they usually have slow response time and have a mechanism to stop you after 3-10 tries usually.

Or is it that, the hackers take all of the software on the server side to (the authentication software) and crack that, then they can talk to it very quickly and feed it a trillion passwords?

Ideally, you would steal the password file first.

Then, on one of your own computers, you would use a prehashed dictionary file, and simply compare the dictionary hashes against the password hashes.

You might want to look at a tool like John the Ripper for more information.

Uno

 

[John Connor]

You download the database. If the database isn't encrypted all the better, some are not. Check out Hash Cat.

http://en.wikipedia.org/wiki/Hashcat

Not sure if we should talk about these programs though. If not mod remove links. Didn't know.

Sometimes all it takes is a phishing attack like in the case of the iCloud nude photos BS. This is why you never open an untrusted E-mail.

 

[uclabachelor]

How is it that hackers can brute force a password using dictionary lookup or whatever method they use? Most websites/applications will not allow a computer to sequentially try 5000 passwords/sec, they usually have slow response time and have a mechanism to stop you after 3-10 tries usually.

Or is it that, the hackers take all of the software on the server side to (the authentication software) and crack that, then they can talk to it very quickly and feed it a trillion passwords?

They either guess a password based on other knowledge of the account holder, brute force, or have access to the hash'd passwords. Hash'd passwords can be used to lookup rainbow tables, which at this point would be a simple search through the table for any matching hash.

For web based applications, it is also possible to hijack the session and update the password. For this reason, some sites require you to enter in the current password in order to change the password.

 

[inachu]

If you google for the l0pht and use their snort program and give that a try.