I seem to be safe for now, but technology is advancing rapidly.
nvidia-rtx-5090-can-crack-an-8-digit-password-in-3-hours
Sample:
I seem to be safe for now, but technology is advancing rapidly.
nvidia-rtx-5090-can-crack-an-8-digit-password-in-3-hours
Sample:
Always been curious about this. Perhaps this is the thread in which to ask this question. If I try to log in to an account with the improper password, the site will lock me out for a period of time before I can try again. Some will even require my to call in and unlock the account.
How is it possible for any brute force attack to try a few million combinations? What is the procedure by which a brute force attack can obtain the correct password?
I mean, I think of every password I use, but I don't think I have anything in the "instantly" section, so at least I have that going for me.
Depends on what's behind the password.
Simple stuff looks to be good for 4 months.
Important stuff looks to be good for one quadrillion years.
In reply to 1988RedT2 :
Password cracking is typically done on a stolen password "database" where the attackers can run through the combinations in their labe environment without having to worry about the account lockout policies.
Great reminder to setup MFA on all your accounts that allow it. An authenticator based MFA would be the best option if presented, then app based, before going to email or SMS.
My business bank account uses one of these.
It generates a 6-digit number for the 2nd factor.
My brokerage account uses an app called VIP Access to generate a number.
In reply to Don Fip :
As noted, these types of tables assume that hackers have already gotten access to the hash table (which is essentially an encrypted table of the passwords), so there has already been a significant breach (whether the target knows that or not is a question of course).
I was always amazed that it seems like that last sites to require more exotic PW requirement... where the financial / bank sites!!!
BTW, the machine(S) mentioned in the graphic above, with 13 RTX 5090's, the cards alone would be $42,000!!
So, the attacker has the hashed version of my password and there is no way to reverse it to 12345. I have nothing to worry about, right? WRONG!
One method that is commonly used to get the plain text password from a hash is called a brute force attack. In this attack, the attacker will run through a giant wordlist and hash each word with the appropriate hashing algorithm. They can then compare the hashes in the wordlist to the ones they have obtained from the database. If a hash from the wordlist matches the one in the database, they can simply find the corresponding plain text password in the original wordlist they hashed. Experienced attackers will use extremely large wordlists combined with powerful software to run through millions of password possibilities a second.
Another method of attack attempts to exploit the hashing algorithm itself by creating a hash collision. A hash collision occurs when two different sets of data resolve to the same hash, and while this is rare, it can be deadly. This would allow the attacker to generate a string of characters that is not your password, but still able to log in to your account since it generates the same hash.
Don Fip said:Great reminder to setup MFA on all your accounts that allow it. An authenticator based MFA would be the best option if presented, then app based, before going to email or SMS.
This is good advice, but I still find MFA annoying. Especially "We'll send you an email to validate your account" thing, which always seems to take forever.
Personally, I use a password manager with a strong master password that would appear to be nonsense to anyone but me. The passwords it generates are all as long and complex as the individual sites allow. Nothing is ever 100% secure, but I feel pretty confident in my setup.
Toyman! said:Depends on what's behind the password.
Simple stuff looks to be good for 4 months.
Important stuff looks to be good for one quadrillion years.
I guess that's true for now. I remember some of these password lengths in the 1990s... you were safe until the heat death of the universe. Now it's like... a couple years for those.
Just wait for them to figure out quantum computing... I've read articles that claim that state-sponsored groups have been hoarding stolen encrypted data until such time as the computing power is available to brute force the encryption. Not all of that data will be relevant in a decade or so, but surely some of it will be.
Says mine is 463 quadrillion years. Sweet.
Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.
preach said:Says mine is 463 quadrillion years. Sweet.
Ahh, but now you've given them the first clue.
In reply to Tom_Spangler (Forum Supporter) :
Yup password manager is another great tool to use.
Agree that MFA gets annoying sometimes so might not make sense for everyone at all sites.
As with all layered approaches to cybersecurity, how many layers of protection in the swiss cheese model do you need before impacting usability/productivity.
You'll need to log in to post.
