Why are Brute Force threats such a concern in general?

[mxmaniac]

It really seems like lately many people are very concerned about Brute Force threats. Whether its a server, personal account, network, etc. There is a lot of talk about making extremely long and challenging passwords to be brute force proof.

But I don't quite understand why it is as great of a concern as people act like, when it should be simple just to limit login attempts? Whether its a server login, router admin page, private account, if you simply limited incorrect login attempts to a low number, wouldn't that make Brute Forcing worthless?

For the sake of example, wouldn't even say a relatively short and simple password, which isn't a common word, like perhaps "s7e39", be nearly impossible to brute force if a few wrong attempts from a certain IP and that IP is locked out for a while?

 

[lxskllr]

You don't usually brute force a website login field. You get a database leak, and crack the hashes in the convenience of your home, then login after you've gotten the passes.

 

[mechBgon]

You don't usually brute force a website login field. You get a database leak, and crack the hashes in the convenience of your home, then login after you've gotten the passes.

This. And this is why it wouldn't be a bad idea to periodically change your most important passwords even if they're pretty strong: by the time a hypothetical attacker managed to crack your strong password, you've already changed it, rendering their efforts useless.

In the case of "s7e39," if they get hold of the database of password hashes, they may be able to simply look that one up on a "rainbow table" that shows the plain-text password s7e39 from its hash. That would take just a few seconds. At the very least, I'd triple its length so a rainbow table isn't a viable tactic.

 

[noobsrevenge]

This. And this is why it wouldn't be a bad idea to periodically change your most important passwords even if they're pretty strong: by the time a hypothetical attacker managed to crack your strong password, you've already changed it, rendering their efforts useless.

In the case of "s7e39," if they get hold of the database of password hashes, they may be able to simply look that one up on a "rainbow table" that shows the plain-text password s7e39 from its hash. That would take just a few seconds. At the very least, I'd triple its length so a rainbow table isn't a viable tactic.

This +

Once you obtain a password from one website, it is likely that the password obtained from a database at one site, and its corresponding email address, that the password would work from the email account too.

Also, the email addresses themselves from the database hold their own value (for sending spam too).

There are many different reasons a single account's information is valuable.

 

[PrincessFrosty]

You don't usually brute force a website login field. You get a database leak, and crack the hashes in the convenience of your home, then login after you've gotten the passes.

This.

Generally speaking the concern comes from the database that holds the passwords getting leaked, it's happened to most of the major websites at some point, despite good security otherwise.

Once you have a database of hashed passwords you can do an "offline" brute force attack against the database, if they do not salt their passwords you can use rainbow tables to greatly speed up brute force attempts, or otherwise use long password dictionaries.

It's trivial to protect remote logins from brute force attempts as you say, simply throttling connections is enough, although it's still wise to use at least non-common passwords.

 

[alangrift]

Brute force is hard to do with captcha and locking of accounts after a couple of incorrect tries. Servers are easier but then again you should be changing your passwords.

 

[Scarinx]

OP you seem to have the wrong idea about how you |hack| a large amount of users passwords I used to think the same thing
This is what actually happens.
1. Hackers find a leak in a server using their custom exploits. They access it and see the part of the server dedicated to passwords they then upload them to a public maybe private server.

2. If they are lucky the server and website are lousy and store them in plain text which is highly unlikely. Normally they are encrypted in hash's the cracker then uses decryption software to brute force them.

3. They sell the accounts or just release them into a public domain

Note: the more powerful your graphics card the easier it is to break the hashs similar to bitmining.
they dont download the passwords directly becasuse that would prove they were behind the hack but if they are realeased to public/private less data to prove they actually hacked the server