How to crack a password??

[KiZ]

pretty cool, but how does that make sense? Surely the cooldown of 1 sec between pw attempts would never happen because if you needed to retry putting the pw in, you would have put in the wrong one anyway, and therefore the system would have locked down for 10 seconds?

[TheBigBasicQ]

The cool down thingy has been implemented in many of the latest services. For example hotmail locks up an account after 5(or 10, i dont remember) failed login attempts =P.

[Z!re]

The 10sec lockdown only occur after n failed login attempts, it is changeable by the user, so anyone can set it to like 1'000'000.
Thus the 1sec cooldown betveen any attempts, for the user accidentaly typing his login wrong it wont be any problem, but for the code breaker a 1 sec cooldown is serious problem.

[wildcard]

Its not impossible to gain entry to any system. But yes, for undetermined password crackers those counter measures and odds would make it virtually impossible. I was also suggesting/thinking of that there is more ways that just running a brute force program off your computer. Long passwords and limited login attempts will put off 99.99% of people, which is why it works so well.

[TheBigBasicQ]

I believe that you are present in the 0.01% of the people. What would you do?

[Moneo]

Most passwords that I'm familiar with are associated with a UserID, and give you 3 shots at getting it right, and then the UserID is disabled. So how the heck are you going to run thousands of tests in such a scenario?
*****

[wildcard]

The userid and limited attempts is part of what I said, stopping 99.99% of people. Which is basically all that you can do for the most part. If the solution was that simple to stop people competely, then you wouldn't have the cracker/hacker problems.

[Moneo]

The userid and limited attempts is part of what I said, stopping 99.99% of people. Which is basically all that you can do for the most part. If the solution was that simple to stop people competely, then you wouldn't have the cracker/hacker problems.

You're right wildcard, but in addition to the "limited attempts" many systems have complex rules for the passwords like how many upper/lower case, numeric and/or special characters they must have, plus a bunch of other rules about portions that cannot match the UserId.

If I had the inclination to hack a system, I wouldn't bother with the passwords, I'd look for a way to get into the database servers and hence into the data itself, which has the stuff worth getting into if I'm interested in selling information or modifying data for fraudulent purposes.

If I crack a password, I'm only going to obtain access to some limited functions that this UserId has entitlement to perform. Most of the critical functions are going to be protected by dual password control or maker/checker restrictions. And still, these critical functions are limited to certain specific activities only.
*****

[oracle]

The thing about those "password rules" is that they enable hackers to make regular expressions for trying them out :lol:

But still, that doesn't get around account locking. If I was gonna hack a system I'd attack the data source like money suggests, but this thread is about a router password so that won't help

[Moneo]

The thing about those "password rules" is that they enable hackers to make regular expressions for trying them out :lol:

The rules only help the hacker if the hacker knows the rules. But then the "limited attempts" is going to stop the hacker from doing any "learning".
*****