On 2/22/20 7:47 PM, Alessandro Vesely via mailop wrote: > Even without 2FA, a password different from "12345" is probably desperately > hard to guess.
_No_ When users tend to re-use the same password on different web sites or a slightly different password from site to site, guessing a password might be quite easy. On a domain I will not specify : - ~5% of accounts have been compromised - ~8% of accounts have at least one compromised password associated to their email (as I do not spend that much time to retrieve lists of compromised accounts, this figure is probably below reality) - these accounts have in average 2.7 compromised passwords (same comment) Once an account is compromised, many users do not realize what it really means and try to reset the password to the previous one or use a very basic transformation (just like using 'Password12' instead of 'password' or 'mybaby2003' instead of 'mybaby03'). If an attacker have a few compromised passwords associated to an email, he may easily guess which part of a password is re-used and which part are modified. It looks like we are experiencing such attacks here. François _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
