|
Nude Photo (iCloud?) hack affecting celebs (Jennifer Lawrence/Kate Upton...) via 4chan (pg. 6)
|
View this Thread in Original format
| djnitride |
| quote: | Originally posted by DJ RANN
Good passwords don't mean anything. A brute force checks millions of combinations of every possible key combination so whether it's simple or has upper and lower case, with special characters, just means it takes the brute force attack slightly longer, but trust me, these guys were at it for months, if not years.
|
Each additional digit adds another power to the potential number of combinations, past a certain point it doesn't matter if they rate limit brute force or not, it simply isn't feasible to crack the password.
For example, a 20 char alpha numeric password with capital letters would be 62^20 = 7.0442342554699802296833026461637e+35 possible combinations. Even if the attacker could run 1 million combinations a second, it would take 670113608777585638287985 days to crack if they had to check 50% of combinations before finding the password.
Yeah, I am sure some of them used extremely targeted and personalized social engineering techniques to get peoples pictures who had better security.
Here is one problem, there is no definitive defense against social engineering attacks besides restricting yourself to a very limited list of service providers. For example, gmail is extremely strict about providing account access if you lose your password. |
|
|
| Swamper |
In my hacking/wannabe-unix-security-nerd days (circa 1994-1995) I used a spare 486 and it took 2 weeks running 24/7 against a bunch of dictionaries (in multiple languages) before it cracked anything. I used Crackerjack.
I can still remember the audible beep... it was like christmas in july. lol
Good times.
As for password difficulty... have some numbers... mixed case...and a word you know and then vary the numbers within a certain range and that's all you need. |
|
|
| DJ RANN |
| quote: | Originally posted by djnitride
Each additional digit adds another power to the potential number of combinations, past a certain point it doesn't matter if they rate limit brute force or not, it simply isn't feasible to crack the password.
For example, a 20 char alpha numeric password with capital letters would be 62^20 = 7.0442342554699802296833026461637e+35 possible combinations. Even if the attacker could run 1 million combinations a second, it would take 670113608777585638287985 days to crack if they had to check 50% of combinations before finding the password.
Yeah, I am sure some of them used extremely targeted and personalized social engineering techniques to get peoples pictures who had better security.
Here is one problem, there is no definitive defense against social engineering attacks besides restricting yourself to a very limited list of service providers. For example, gmail is extremely strict about providing account access if you lose your password. |
But that's the problem; 20 digit alpha numeric passwords aren't really realistic. I have to use one system for one of ht businesses that requires me (and 4 of my employees) to log in at least 20-40 times a day. Having to type 20 mixed ing characters is an absolute ballache that many times a day so guess what? Everyone does the minimum (8 chars, 1 num, one spec char). That's really not that difficult to brute force in a couple of days.
Average password length is guess what? 8-9 characters (in fact the actual figure is 61% of the worlds population uses a password that is within one digit of the minimum required).
But again, this was only part of the breach in question - several of the people involved were phished, some it's now believed were straight up hacked with malware, and one or two others had their phones actually compromised/data copied/stolen.
Unless you're going to add two step verification (and still keylogging attacks do nothing against this) or algorithmic dongles, passwords are not going to get more secure.
I mean if the swampmeister was able to do it on a 486 fifteen years ago then imagine what's possible today.
Combine these attacks with just a tiny bit of social engineering, and basically anyone can get access to any normal password protection system. |
|
|
| djnitride |
| quote: | Originally posted by DJ RANN
But that's the problem; 20 digit alpha numeric passwords aren't really realistic. I have to use one system for one of ht businesses that requires me (and 4 of my employees) to log in at least 20-40 times a day. Having to type 20 mixed ing characters is an absolute ballache that many times a day so guess what? Everyone does the minimum (8 chars, 1 num, one spec char). That's really not that difficult to brute force in a couple of days.
Average password length is guess what? 8-9 characters (in fact the actual figure is 61% of the worlds population uses a password that is within one digit of the minimum required).
But again, this was only part of the breach in question - several of the people involved were phished, some it's now believed were straight up hacked with malware, and one or two others had their phones actually compromised/data copied/stolen.
Unless you're going to add two step verification (and still keylogging attacks do nothing against this) or algorithmic dongles, passwords are not going to get more secure.
Combine these attacks with just a tiny bit of social engineering, and basically anyone can get access to any normal password protection system. |
This problem has been solved. Its not without its own problems, but it is a far more secure system then using a short password.
Just one example:
http://keepass.info/
2FA in addition to that is a must for anyone who might have a big target painted on them |
|
|
| Swamper |
| ^ She's 21? I thought she was like 17. |
|
|
| Sushipunk |
 |
|
|
| Lews |
| On the topic of password length, I hate the companies that have a maximum password length, especially one that is only 8-12 characters. Which I find it completely ludicrous to blame those who were hacked, I do try to have my own internet stuff secure (at least banking/email/etc). It's not that hard to remember a line of poetry that can end up being 25-30 characters. Muscle memory easily remembers it, too. |
|
|
| Jon_Snow |
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
She was 17... 4 years ago :p
Never heard of her until the leak and started to feel bad for her then I read that article lol |
|
|
| Viber |
| quote: | Originally posted by Lews
a line of poetry that can end up being 25-30 characters. Muscle memory easily remembers it, too. |
That's a brilliant idea:wtf: |
|
|
| Dykes_on_Jay |
Lews.
Vegetarians protect the world with haiku's. |
|
|
| Silky Johnson |
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
| quote: | Originally posted by Swamper
^ She's 21? I thought she was like 17. |
| quote: | Originally posted by Sushipunk
|
|
|
|
|
|
