[Cryptography] Brute-force password crackers?

Ray Dillinger bear at sonic.net
Sat Dec 25 23:46:01 EST 2021



On 12/23/21 15:54, Henry Baker wrote:
> Could someone please explain the current strategies of brute-force password crackers these days?
>  
> I presume that huge dictionaries of existing passwords, words, phrases, etc., + brute force alphabetic enumeration in order of probability?
>  

There are now "database enabled" password guessing systems that take
advantage of known information about whose account is which.  These are
used in combination with an existing trove of user information such as
some related business's customer database.  So if the system knows it is
guessing a password to the account of "J Fred Bloggs," it goes to its
database and retrieves information about customers named "Fred Bloggs"
and "Joe F Bloggs" and "JF Bloggs" and every glob of "J* Bloggs" and
then injects that information into the template that drives its password
guesses for that account.  While doing the same for however many million
other accounts.

So if your information is already in leaked databases, and your account
is identifiable by people who haven't yet gained access, then password
guessing to gain access will be focused tightly.  It'll be trying old
phone numbers, student ID number from college, streets you've lived on,
names of people you've lived with, social security numbers, driver
license numbers you had years ago in other states, house numbers you've
lived at, anniversaries, birthdays, answers to "security questions" from
other sites, etc. 

Bear



More information about the cryptography mailing list