That’s not how it typically works. Accounts are usually obtained from a hash file (like what’s in your /etc/shadow or whatever the equivalent is in Windows).
In there your typical password looks like a strong string of gibberish characters, but is actually the result of a one way function that processed the original password. When you enter you password, the function is applied to it and the result is compared to the stored one.
To break a password, you have to run stuff through that function (which is slightly computationally expensive, although using GPUs now helps quite a bit) until you find whatever matches the stored string (because it’'s a one way function). Then you have the original password. This is known as a dictionary attack (because you basically have to run through the whole dictionary).
No, a dictionary attack uses a specific collection of known passwords (usually from leaks/compromised websites etc.) and regular words. Then you apply common substitutions, like a 3 for an e or appending an !. This collection is then called a dictionary.
What you described and is referred to in the infographic is called a brute force attack.
This assumes you can obtain the hashed & salted version of the password from the server, or it’s a local PDF/ZIP/etc file password. Still, you have 2FA to go through once you guess the plaintext password.
No legitimate websites will store passwords as plaintext, instead their salted (mathematically modified) hashes. They do not have your plaintext password but there is a mechanism of checking your password attempt. If the hacker interrupts this mechanism, they can steal plaintext passwords every time they are used. However, most of the time they “just” gain access to the database and get the hashed & salted versions, and can often find out what the hash & salt algorithm is by reverse-engineering their own entries. Then, they obtain a list of top 1B+ common passwords (includes all 4-digit numbers, “password” and curse words in all languages, pretty much every English word imaginable, most given names in the world, every date from the last 100 years in various formats, correct horse battery staple and entries from previous breaches) and for every hash & salt they compute, they check if it matches any known hash & salt of any user they’re interested in (could be just a few or all) matches. This dictionary attack will match the weakest passwords, and any matches give the hacker confidence that their method is correct. After that, they either start extending the dictionary (combining words with other words, letters and numbers), or brute forcing every combination of numbers, letters and symbols (with some heuristics: most passwords use way fewer symbols than letters).
So “password breaches” are concerning because the hacker gets any number of retries for anyone’s password if they have the time and computing power. Therefore, it is very advisable to change your password after such a breach is discovered. This takes anywhere between 1 day to a month so if your password cannot be cracked in that time, you should be reasonably safe.
Don’t most systems lock out accounts after a few failed attempts?
That’s not how it typically works. Accounts are usually obtained from a hash file (like what’s in your /etc/shadow or whatever the equivalent is in Windows).
In there your typical password looks like a strong string of gibberish characters, but is actually the result of a one way function that processed the original password. When you enter you password, the function is applied to it and the result is compared to the stored one.
To break a password, you have to run stuff through that function (which is slightly computationally expensive, although using GPUs now helps quite a bit) until you find whatever matches the stored string (because it’'s a one way function). Then you have the original password. This is known as a dictionary attack (because you basically have to run through the whole dictionary).
And this concludes hacking 101 for today.
No, a dictionary attack uses a specific collection of known passwords (usually from leaks/compromised websites etc.) and regular words. Then you apply common substitutions, like a 3 for an e or appending an !. This collection is then called a dictionary.
What you described and is referred to in the infographic is called a brute force attack.
Good point, I might have written that a bit fast.
Still need to know what the salt is, assuming the website is somewhat competent about password storage.
This assumes you can obtain the hashed & salted version of the password from the server, or it’s a local PDF/ZIP/etc file password. Still, you have 2FA to go through once you guess the plaintext password.
So it becomes a concern when someone steals a bunch of passwords from a server?
No legitimate websites will store passwords as plaintext, instead their salted (mathematically modified) hashes. They do not have your plaintext password but there is a mechanism of checking your password attempt. If the hacker interrupts this mechanism, they can steal plaintext passwords every time they are used. However, most of the time they “just” gain access to the database and get the hashed & salted versions, and can often find out what the hash & salt algorithm is by reverse-engineering their own entries. Then, they obtain a list of top 1B+ common passwords (includes all 4-digit numbers, “password” and curse words in all languages, pretty much every English word imaginable, most given names in the world, every date from the last 100 years in various formats, correct horse battery staple and entries from previous breaches) and for every hash & salt they compute, they check if it matches any known hash & salt of any user they’re interested in (could be just a few or all) matches. This dictionary attack will match the weakest passwords, and any matches give the hacker confidence that their method is correct. After that, they either start extending the dictionary (combining words with other words, letters and numbers), or brute forcing every combination of numbers, letters and symbols (with some heuristics: most passwords use way fewer symbols than letters).
So “password breaches” are concerning because the hacker gets any number of retries for anyone’s password if they have the time and computing power. Therefore, it is very advisable to change your password after such a breach is discovered. This takes anywhere between 1 day to a month so if your password cannot be cracked in that time, you should be reasonably safe.
Very good explanation. I think this kind of clarification is important when we see charts like these.