• DPUGT2@lemmy.ml
    link
    fedilink
    arrow-up
    1
    arrow-down
    1
    ·
    3 years ago

    actually, script automated brute forcing would be better at guessing randomized characters for a passwords.

    No. It wouldn’t. It’s neither better nor worse at anything. If you’re unfamiliar with programming, it’s difficult to understand, but I’ll try to explain it to you…

    No matter what characters are used, brute-forcing is like counting up from one. 1, 2, 3, 4. Just using more than the 10 numeral symbols. That’s why it’s called brute-forcing, it is literally trying every password possibility after the other. This will include actual words. This will eventually include even passwords that don’t look random to you at all.

    By choosing words as your password, if someone can guess that this is what you’ve done (which is an easy guess, because most people are cretins when it comes to passwords) then they can go look for a dictionary. There are maybe 100,000 words in English. 250k if you use the OED. Other languages’ dictionaries are available too. Then they configure the brute-forcing program to ignore the sequential-every-password-possible stuff, and use words instead.

    This reduces the number of passwords that you can have chosen by some ridiculously large number.

    It’s literally, mathematically-provably, easier for the automated brute-forcing to do the non-randomized passwords… assuming someone can guess that that’s what you did. And it’s not much of a guess even, considering that you blather all over the internet about how you think it’s a smarter approach.

    the dilemma with your thinking is the time vs success factor. Given enough time and an indefinite number of attempts before security measures kick in and block the active IP, a brute force attack will eventually be successful,

    That’s not even how this works. It’s not 1986, you’re not Matthew Broderick hacking into WOPR.

    Some Romanian shitbag used stolen credit cards to buy a database dump from another Russian shitbag who got it in an as-of-yet-undisclosed data breach. Somehow, the people who got their database stolen weren’t complete morons, and your password is hashed in it. But it was hashed poorly with some reused salt (also included, the Russian wants repeat business?).

    The website it was stolen from has at least taken measures that they can’t get into amphibeanfursuits.com with any of the stolen data. But you reuse the same password everywhere, including your online bank accounts. How do I know this? Because you’re a dumbass who talks about choosing memorable passwords. The typical person out there has 50+ online accounts. If they’re remembering their passwords, I know they don’t have eidectic memory and know 50 unique passwords by heart. They’re remembering one.

    So once they brute-force the hash, they’ve got most or all of your passwords (maybe literally not all, you probably think you’re clever by having two or three slight variations on it like “every word in it starts with uppercase!” or some shit like that). And it’s alot easier to brute-force this when you assume that they used dictionary words.

    Here’s where you bust out with “but now you’re full of shit DPUGT, because I didn’t mean 1 or 3 or even 5 dictionary words, I meant like a phrase from Moby Dick or a passage out of Harry Potter!”.

    Except you’re still wrong. That fucking website truncated the password (and always truncates, since you didn’t notice), or it has a maximum password length (don’t ask, I have no explanation, this is so far off in WTF territory that I give up).

    And so your password will be broken. Likely with the help of Amazon compute time bought with more stolen credit cards or something. There is no lockout that will save you. Their IP will not be blocked.

    You tried to be clever with passwords, which is what all stupid people do.

    1. All your passwords have to be different. They shouldn’t even reuse sequences longer than 2 or 3 characters, and those only by accident.
    2. You have 50+ passwords (my count’s something like 300+ and always going up).
    3. They should all be long as hell. Ideally 50-100 characters or more. This means they’re also untypeable from a practical point of view.
    4. They should never be written down anywhere, digitally or physically.

    And, if we were making rules for websites/accounts, they shouldn’t limit possible passwords. No maximum lengths, no “can’t use that character”. Like why not? They shouldn’t be storing the damned password in plaintext, the hash should be hex and fixed legnth anyway. But can’t do anythign about that.

    Once you understand these rules, there is only one correct way to do passwords. And it’s not setting a new one every 6/10/12 weeks. It’s not 2FA. It’s not any of the garbage everyone always repeats as if it were wisdom.

    It’s Get a goddamned password manager already.

    • Torrid@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      3 years ago

      There’s no need to get so emotionally heated. You’re making a lot of personal assumptions about me and my actions, and projecting information I never included in my comments. I also don’t appreciate you being so condescending. I’m familiar with coding, and there was really no reason for you to be so rude. That being said, there’s no sense trying to discuss things with someone like you.

      I hope you heal whatever part of you felt it was alright to fly off the handle like that.