Hi. On Thu, Aug 31, 2017 at 08:00:54PM +0100, Brian wrote: > On Wed 30 Aug 2017 at 00:59:15 +0300, Reco wrote: > > > On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote: > > 'Us'? Do not speak for all the list please. > > It is a construct; intended to involve everyone in the conversation. > > > Admit that you just did not read the pdf. > > It is not concerned with online cracking. That is obvious. Why should I > spend time in reading its each and every detail
Admitting something, especially in public takes courage. I applaud you for admitting it, and adjust my further explanations as clearly your talents lie outside of security field. > > > How does this help with attacking the password for a login with online > > > techniques? > > > > Simple. You generate passwords by using adjectives, nouns and verbs from > > Oxford and/or Webster dictionary. You don't put all the words together > > (the result will have too much volume), you try to create grammatically > > correct (although meaningless) phrases. A mathematical concept that > > allows you to do so is Markov chains. An implementation of this concept > > is called Prince Attack on hashcat lingua. > > > > Overall entropy of 'my!only"reason£for$living%is^ebay' password (aka > > XKCD 936 password) could be reduced significantly, leaving > > 'eq8GeKBhVXOTjF0dAyd0' password (aka base64 password) far superior. > > > > Also, bruteforcing a password by feeding a list of those to the online > > service of any kind is dumb (unless you have a disposable botnet > > dedicated to this purpose). Smart move is to obtain a list of > > (hopefully) hashed passwords, which all bad guys are doing these days. > > Services accept numerous failed *online* logins without doing anything > about it? You'd be surprised how many services do exactly nothing about failed logins (ssh out of the box for starters). Even if they did - there's nothing a hypothetical service could do against 10^5-10^6 unique IPs ('disposable botnet' comes here) each attempting 2-3 logins. Besides, why bother with online logins if you can dump password database ('dumb' and 'smart' come here)? Reco