Jump to content

Simply about passwords


EWyatt

Recommended Posts

We're told to use strong passwords, yada, yada... It must be true, since hackers successfully get past the password walls all the time.  My question is how!  Sites ask for our passwords to get in, we supply them, and the site spends "some" time evaluating them for accuracy.  If inaccurate, the site asks again, or gives us a few more tries, which takes even more time.  Seems to me that using brute force to get a correct password would take days (or more) of trying to get in, considering the time sites evaluate those incoming passwords.  Even using automated software to guess moderately strong passwords must take a LOT of time due to the site's time to evaluate them.

What am I missing?  Do hackers indeed spend days (or more) just trying to get into a site?  Don't they have a life?  

Link to comment
Share on other sites

Password crackers can easily make billions(or more) of attempts each second.  Can attempt to reduce the time further checking lists of common passwords and words from the dictionary first.

Limiting number of login attempts and spacing them out does go a long way to prevent brute force attacks.

 

Hackers are more likely now to be looking for security exploits or to engage in social engineering instead though. Most of what you see end up making the news. Again there are programs to make lives easier.

Link to comment
Share on other sites

11 minutes ago, Endy0816 said:

Password crackers can easily make billions(or more) of attempts each second.  Can attempt to reduce the time further checking lists of common passwords and words from the dictionary first.

 

Must be true, yet that doesn't jive with the fact that it takes the site at least a few milliseconds to analyze the incoming password and provide a reject comment.  How can all that happen thousands or millions of times per second.  Or perhaps I don't understand how it all works....

Link to comment
Share on other sites

4 minutes ago, EWyatt said:

How can all that happen thousands or millions of times per second.

I don't know to what extent this still applies: in earlier unix systems first step was to look for exploits that gained access to a list of encrypted passwords. Then run the brute force attack offline.

 

Link to comment
Share on other sites

15 hours ago, EWyatt said:

What am I missing?  Do hackers indeed spend days (or more) just trying to get into a site?  Don't they have a life?  

Professional hackers are using key-loggers. They send to victim Trojan software (in e.g. e-mail with link which after clicking it, is infecting their computer), which installs on their machine, and when user is logging in to some website, and pressing keys on keyboard, hacker is informed about what is password straight away without having to guess it. It does not require brute-force method of manual searching for password (or very limiting it).

If website is not using secure HTTP (HTTPS), password can be send in raw form through Internet (or md5(password)). If somebody already own your router, or ISP, can get password or e.g. md5(password) straight away in transmitted packets.

e.g. ScienceForums.net website got HTTPS just recently in January 2018.

https://www.scienceforums.net/topic/108148-upcoming-next-week-https-support/

(in the other words, prior this date, the all passwords could be intercepted by somebody already, and they can pretend legit members of this forum right now, or in the future)

 

Link to comment
Share on other sites

19 hours ago, Ghideon said:

I don't know to what extent this still applies: in earlier unix systems first step was to look for exploits that gained access to a list of encrypted passwords. Then run the brute force attack offline.

Was just thinking needed to mention that too, lol.

 

Can also try multiple login attempts at once.

Generally you'd use brute force only in some cases. Has to be both possible and worth it

Case in the news a bit ago of the Government pressuring Apple to allow them unlimited attempts, so they could use this method to get into a terrorist's phone.

Edited by Endy0816
Link to comment
Share on other sites

9 hours ago, Sensei said:

password can be send in raw form through Internet

That made me remember another, somewhat related case I heard of. Can't find it online so no reference this time:
Some systems offers the users to store a password hint. In the case I heard of the hackers got access to a list of hints, they were stored in clear text or protected by weak encryption. Hints such as "Yellow fruit" made the brute force attack a lot easier.


 

 

Link to comment
Share on other sites

On 27.08.2018 at 3:49 PM, Endy0816 said:

Case in the news a bit ago of the Government pressuring Apple to allow them unlimited attempts, so they could use this method to get into a terrorist's phone.

They are fooling you. They can make duplicate of entire memory of device, and then run brute-force method on emulator of device on supercomputer cluster with thousands machines running parallel.

Link to comment
Share on other sites

2 minutes ago, Sensei said:

They are fooling you. They can make duplicate of entire memory of device, and then run brute-force method on emulator of device on supercomputer cluster with thousands machines running parallel.

Then why did they take Apple to court?

Link to comment
Share on other sites

43 minutes ago, John Cuthber said:

Then why did they take Apple to court?

IMO it was to make the same attempts easier each time they desire to do so in the future. It also was a PR move to suggest they lacked capabilities to do it today.

One - To keep their current secrets, subterfuge about existing capabilities. Two - Save time and make it easier in the future.

Link to comment
Share on other sites

2 hours ago, Sensei said:

They are fooling you. They can make duplicate of entire memory of device, and then run brute-force method on emulator of device on supercomputer cluster with thousands machines running parallel.

From https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf


 

Quote

 

The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit

keys fused (UID) or compiled (GID) into the application processor and Secure

Enclave during manufacturing. No software or firmware can read them directly;

they can see only the results of encryption or decryption operations performed

by dedicated AES engines implemented in silicon using the UID or GID as a key.

Additionally, the Secure Enclave’s UID and GID can only be used by the AES

engine dedicated to the Secure Enclave. The UIDs and GIDs are also not

available through JTAG or other debugging interfaces.

..........

 

The UID allows data to be cryptographically tied to a particular device. For

example, the key hierarchy protecting the file system includes the UID, so if

the memory chips are physically moved from one device to another, the files

are inaccessible.

 

Apple is deliberately a bit vague, but it seems the encrypted files cannot be read without using encrypted addressing which will be permanently disabled after about six hacking attempts.

Physical hacking, using e.g. a TTM to measure the stored charge corresponding to each bit, is probably not practical.

Edited by Carrock
small correction
Link to comment
Share on other sites

The ARM processor includes hardware security (Edit: as described in Carrock's post) so even if it were possible/practical to extract the entire contents of memory and emulate the entire device (which I doubt) you wouldn't be able to get at the encrypted data.

1 hour ago, iNow said:

IMO it was to make the same attempts easier each time they desire to do so in the future. It also was a PR move to suggest they lacked capabilities to do it today.

One - To keep their current secrets, subterfuge about existing capabilities. Two - Save time and make it easier in the future.

Or ... the suggestion is just bollocks.

Edited by Strange
Link to comment
Share on other sites

Quote

so even if it were possible/practical to extract the entire contents of memory and emulate the entire device (which I doubt)

You just unsolder the memory chip from the board and place it onto a machine to copy it. Then you can solder the copied chip into the board. Strangeparts made a video about copying his iPhone data onto a new (much larger) memory chip. I don't know where you would buy the machine though. It is definitely possible.

 

Link to comment
Share on other sites

1 hour ago, fiveworlds said:

You just unsolder the memory chip from the board and place it onto a machine to copy it. Then you can solder the copied chip into the board. Strangeparts made a video about copying his iPhone data onto a new (much larger) memory chip. I don't know where you would buy the machine though. It is definitely possible.

I assume he either copied encrypted data or removed the password first. 

 

Link to comment
Share on other sites

8 hours ago, iNow said:

IMO it was to make the same attempts easier each time they desire to do so in the future. It also was a PR move to suggest they lacked capabilities to do it today.

One - To keep their current secrets, subterfuge about existing capabilities. Two - Save time and make it easier in the future.

In China, they ask to see the contents of your phone and you will comply. :D

Link to comment
Share on other sites

2 hours ago, fiveworlds said:

You just unsolder the memory chip from the board and place it onto a machine to copy it. Then you can solder the copied chip into the board. Strangeparts made a video about copying his iPhone data onto a new (much larger) memory chip. I don't know where you would buy the machine though. It is definitely possible.

34 minutes ago, Strange said:

 

I assume he either copied encrypted data or removed the password first. 

 

I didn't watch all the video but he appears to have taken a decrypted backup copy, fitted new bigger memory and restored from backup - no security issues.

 

7 minutes ago, StringJunky said:

In China, they ask to see the contents of your phone and you will comply. :D

If you've forgotten the password how do you comply?

Edited by Carrock
Link to comment
Share on other sites

8 hours ago, StringJunky said:

In China, they ask to see the contents of your phone and you will comply. :D

Buy second phone just for international travel.. ;)

 

Dump of memory of device prior travel,

disable the all transmission, don't use device,

travel,

dump of memory of device after travel.

Comparison of these two, to find changes.

If they differs, what are differences, which files and directories have changed... ? It could be infection from external source (not necessarily government of countries which you just visited)..

 

Link to comment
Share on other sites

  • 1 month later...

Yes, It is true password is very important for our documents and systems and use of automatic software for password creation is a very risky task. So we use a strong password for our safety. I am an Itunes user and I have made a strong password with the help of Apple support and now my Itunes is secure from hackers

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.