I'm humbled by all the expertise on this email thread. I have a CentOS 7 website server needing fail2ban, but it's failing on install, so I'll post another question in a separate thread.
On Wed, May 3, 2023 at 2:50 PM Paul Boniol <[email protected]> wrote: > What Csaba is saying is that, in some cases, the hashed password has been > exposed and copied to a local computer, and the encryption method is known. > This eliminates any delay that may be imposed on trying to crack it, as you > aren't contacting the website until you know what the password is (was). > > On Tue, May 2, 2023, 2:33 PM THOMAS BARTKUS <[email protected]> > wrote: > >> >> So with a 10TH miner you can try 10^13 / 10^5 = 10^8 passwords per >> second ...' >> >> This ignores the intolerable overhead created by the computer you are >> trying to hack! >> If the remote is deliberately imposing a 1 second turnaround to verify. >> Using your 10^8 password attempts. The situation is thus: >> >> 10^8/seconds/minutes/hours/days/365 >> 10^8/60/60/24/365 = 3.17 years of overhead that the attacking computer >> has no control over. Your computer speed is of no consequence. >> >> Assuming that your quantum magic computer might chew 10^8 permutations in >> one second. That still means 3.2 years + one second to do the job. >> >> Of course, you might get lucky and strike gold after the first 8 months. >> Or you can attack 100 different computers at once improving the chances >> of a single successful hit in a shorter period of time. >> >> But the fact remains I think the "Hive Systems" chart is a fantasy >> designed to scare you into using their services. >> >> Did I forget to mention that any good password verification will lock you >> at after 3 or 5 failed attempts? Now we're talking centuries to crack any >> good password. >> >> >> On 05/02/2023 1:36 PM Csaba Toth <[email protected]> wrote: >> >> >> Well, some of the data breaches may get hold of the password hash. Like >> the master passwords in case of the LastPass breach, and in this case you >> don't have to deal with the delay what it takes for a bot to properly go >> through the login process (entering username and password in a GUI and >> click a button) like I see they constantly try on an exposed RDP endpoint. >> So in that case they can brute force closer to the "source", however as you >> mentioned even the LastPass master password was hashed I think 100,100 >> times - or something - by default (and they are raising it to 600,000), >> which is deliberately to make a brute force ~100k times slower. >> I don't know if that hash algorithm is in alignment in any way with the >> hashes the crypto currencies use. In that case a hacker might utilize ASICs >> specifically developed for crunching hashes, those miner rigs are insanely >> fast compared to even a GPU, Bard gave me this figure: >> Device Hash Rate >> CPU 1-10 MH/s >> GPU 100-600 MH/s >> ASIC Miner 1-10 TH/s >> >> As you see an ASIC miner could be 1,000-10,000 X faster than a GPU. So >> with a 10TH miner you can try 10^13 / 10^5 = 10^8 passwords per second for >> a LastPass master password. Then comes the question how big is your >> dictionary, and there are techniques like >> https://en.wikipedia.org/wiki/Rainbow_table which cut down the crack >> time. >> >> So it really depends on the hacker's budget and definitely about the >> complexity of the password. Quantum computers might change the picture, but >> that's still a few decades (fortunately). >> >> >> On Tue, May 2, 2023 at 10:44 AM Thomas Bartkus <[email protected]> >> wrote: >> >> I have quibbles with their methodology. Their computer already has the >> password they submit and a separate program has to guess what it is. By >> brute force. Try something then try the next. >> >> The problem is that in the real world they don't know what the password >> is. They have to test the trials against a remote or a website. Common >> practice is to make the verification deliberately slow. Enforcing a one >> second turnaround time means it takes a full second to know if they got a >> hit. This lengthens the time to crack it enormously. A 2 second delay >> doubles the time again. An enormous time overhead over which the attacking >> computer has no control. >> >> To get a true picture they need to test against a real (slow!) >> verification process outside their control. Even the simplest passwords >> would take days to crack no matter how fast their computers were. I think >> their chart is wildly inaccurate. >> >> >> What am I missing here? >> On Wednesday, April 19, 2023 at 2:32:29 AM UTC-5 [email protected] >> wrote: >> >> I'm interested in learning more about this: >> >> >> >> https://www.reddit.com/r/coolguides/comments/12qmk1r/i_updated_our_famous_password_table_for_2023/ >> >> >> >> -- >> -- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/nlug-talk/6ec21391-b2e6-473e-9721-a2ebae1e5567n%40googlegroups.com >> <https://groups.google.com/d/msgid/nlug-talk/6ec21391-b2e6-473e-9721-a2ebae1e5567n%40googlegroups.com?utm_medium=email&utm_source=footer>. >> >> >> >> -- >> -- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/nlug-talk/CA%2BKhHxL7O%3DWxmx8FDGviVW_EZSZ_10OgHrSrcAbMit-qv0F3dw%40mail.gmail.com >> <https://groups.google.com/d/msgid/nlug-talk/CA%2BKhHxL7O%3DWxmx8FDGviVW_EZSZ_10OgHrSrcAbMit-qv0F3dw%40mail.gmail.com?utm_medium=email&utm_source=footer>. >> >> >> -- >> -- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/nlug-talk/234822080.3368667.1683055997100%40connect.xfinity.com >> <https://groups.google.com/d/msgid/nlug-talk/234822080.3368667.1683055997100%40connect.xfinity.com?utm_medium=email&utm_source=footer> >> . >> > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/CAL9PgS23oo79jrFFiyHB_nq5Yo--XNk9tpajHTM5Tah4c6JSRg%40mail.gmail.com > <https://groups.google.com/d/msgid/nlug-talk/CAL9PgS23oo79jrFFiyHB_nq5Yo--XNk9tpajHTM5Tah4c6JSRg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CALdmzXYtp4nV7-%2B%3Dxp%3DNGwUB_qFSSUjq39DavOhqA3gNk8LCZw%40mail.gmail.com.
