Hi.
On Thu, Aug 31, 2017 at 08:00:54PM +0100, Brian wrote:
> On Wed 30 Aug 2017 at 00:59:15 +0300, Reco wrote:
>
> > On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote:
> > 'Us'? Do not speak for all the list please.
>
> It is a construct; intended to involve everyone in the conversation.
>
> > Admit that you just did not read the pdf.
>
> It is not concerned with online cracking. That is obvious. Why should I
> spend time in reading its each and every detail
Admitting something, especially in public takes courage.
I applaud you for admitting it, and adjust my further explanations as
clearly your talents lie outside of security field.
> > > How does this help with attacking the password for a login with online
> > > techniques?
> >
> > Simple. You generate passwords by using adjectives, nouns and verbs from
> > Oxford and/or Webster dictionary. You don't put all the words together
> > (the result will have too much volume), you try to create grammatically
> > correct (although meaningless) phrases. A mathematical concept that
> > allows you to do so is Markov chains. An implementation of this concept
> > is called Prince Attack on hashcat lingua.
> >
> > Overall entropy of 'my!only"reason£for$living%is^ebay' password (aka
> > XKCD 936 password) could be reduced significantly, leaving
> > 'eq8GeKBhVXOTjF0dAyd0' password (aka base64 password) far superior.
> >
> > Also, bruteforcing a password by feeding a list of those to the online
> > service of any kind is dumb (unless you have a disposable botnet
> > dedicated to this purpose). Smart move is to obtain a list of
> > (hopefully) hashed passwords, which all bad guys are doing these days.
>
> Services accept numerous failed *online* logins without doing anything
> about it?
You'd be surprised how many services do exactly nothing about failed
logins (ssh out of the box for starters). Even if they did - there's
nothing a hypothetical service could do against 10^5-10^6 unique IPs
('disposable botnet' comes here) each attempting 2-3 logins.
Besides, why bother with online logins if you can dump password
database ('dumb' and 'smart' come here)?
Reco
