EWyatt Posted August 26, 2018 Posted August 26, 2018 We're told to use strong passwords, yada, yada... It must be true, since hackers successfully get past the password walls all the time. My question is how! Sites ask for our passwords to get in, we supply them, and the site spends "some" time evaluating them for accuracy. If inaccurate, the site asks again, or gives us a few more tries, which takes even more time. Seems to me that using brute force to get a correct password would take days (or more) of trying to get in, considering the time sites evaluate those incoming passwords. Even using automated software to guess moderately strong passwords must take a LOT of time due to the site's time to evaluate them. What am I missing? Do hackers indeed spend days (or more) just trying to get into a site? Don't they have a life?
Endy0816 Posted August 26, 2018 Posted August 26, 2018 Password crackers can easily make billions(or more) of attempts each second. Can attempt to reduce the time further checking lists of common passwords and words from the dictionary first. Limiting number of login attempts and spacing them out does go a long way to prevent brute force attacks. Hackers are more likely now to be looking for security exploits or to engage in social engineering instead though. Most of what you see end up making the news. Again there are programs to make lives easier.
EWyatt Posted August 26, 2018 Author Posted August 26, 2018 11 minutes ago, Endy0816 said: Password crackers can easily make billions(or more) of attempts each second. Can attempt to reduce the time further checking lists of common passwords and words from the dictionary first. Must be true, yet that doesn't jive with the fact that it takes the site at least a few milliseconds to analyze the incoming password and provide a reject comment. How can all that happen thousands or millions of times per second. Or perhaps I don't understand how it all works....
Ghideon Posted August 26, 2018 Posted August 26, 2018 4 minutes ago, EWyatt said: How can all that happen thousands or millions of times per second. I don't know to what extent this still applies: in earlier unix systems first step was to look for exploits that gained access to a list of encrypted passwords. Then run the brute force attack offline.
Sensei Posted August 27, 2018 Posted August 27, 2018 15 hours ago, EWyatt said: What am I missing? Do hackers indeed spend days (or more) just trying to get into a site? Don't they have a life? Professional hackers are using key-loggers. They send to victim Trojan software (in e.g. e-mail with link which after clicking it, is infecting their computer), which installs on their machine, and when user is logging in to some website, and pressing keys on keyboard, hacker is informed about what is password straight away without having to guess it. It does not require brute-force method of manual searching for password (or very limiting it). If website is not using secure HTTP (HTTPS), password can be send in raw form through Internet (or md5(password)). If somebody already own your router, or ISP, can get password or e.g. md5(password) straight away in transmitted packets. e.g. ScienceForums.net website got HTTPS just recently in January 2018. https://www.scienceforums.net/topic/108148-upcoming-next-week-https-support/ (in the other words, prior this date, the all passwords could be intercepted by somebody already, and they can pretend legit members of this forum right now, or in the future)
Endy0816 Posted August 27, 2018 Posted August 27, 2018 (edited) 19 hours ago, Ghideon said: I don't know to what extent this still applies: in earlier unix systems first step was to look for exploits that gained access to a list of encrypted passwords. Then run the brute force attack offline. Was just thinking needed to mention that too, lol. Can also try multiple login attempts at once. Generally you'd use brute force only in some cases. Has to be both possible and worth it Case in the news a bit ago of the Government pressuring Apple to allow them unlimited attempts, so they could use this method to get into a terrorist's phone. Edited August 27, 2018 by Endy0816
Ghideon Posted August 27, 2018 Posted August 27, 2018 9 hours ago, Sensei said: password can be send in raw form through Internet That made me remember another, somewhat related case I heard of. Can't find it online so no reference this time: Some systems offers the users to store a password hint. In the case I heard of the hackers got access to a list of hints, they were stored in clear text or protected by weak encryption. Hints such as "Yellow fruit" made the brute force attack a lot easier.
Sensei Posted August 30, 2018 Posted August 30, 2018 On 27.08.2018 at 3:49 PM, Endy0816 said: Case in the news a bit ago of the Government pressuring Apple to allow them unlimited attempts, so they could use this method to get into a terrorist's phone. They are fooling you. They can make duplicate of entire memory of device, and then run brute-force method on emulator of device on supercomputer cluster with thousands machines running parallel.
John Cuthber Posted August 30, 2018 Posted August 30, 2018 2 minutes ago, Sensei said: They are fooling you. They can make duplicate of entire memory of device, and then run brute-force method on emulator of device on supercomputer cluster with thousands machines running parallel. Then why did they take Apple to court?
iNow Posted August 30, 2018 Posted August 30, 2018 43 minutes ago, John Cuthber said: Then why did they take Apple to court? IMO it was to make the same attempts easier each time they desire to do so in the future. It also was a PR move to suggest they lacked capabilities to do it today. One - To keep their current secrets, subterfuge about existing capabilities. Two - Save time and make it easier in the future.
Carrock Posted August 30, 2018 Posted August 30, 2018 (edited) 2 hours ago, Sensei said: They are fooling you. They can make duplicate of entire memory of device, and then run brute-force method on emulator of device on supercomputer cluster with thousands machines running parallel. From https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf Quote The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused (UID) or compiled (GID) into the application processor and Secure Enclave during manufacturing. No software or firmware can read them directly; they can see only the results of encryption or decryption operations performed by dedicated AES engines implemented in silicon using the UID or GID as a key. Additionally, the Secure Enclave’s UID and GID can only be used by the AES engine dedicated to the Secure Enclave. The UIDs and GIDs are also not available through JTAG or other debugging interfaces. .......... The UID allows data to be cryptographically tied to a particular device. For example, the key hierarchy protecting the file system includes the UID, so if the memory chips are physically moved from one device to another, the files are inaccessible. Apple is deliberately a bit vague, but it seems the encrypted files cannot be read without using encrypted addressing which will be permanently disabled after about six hacking attempts. Physical hacking, using e.g. a TTM to measure the stored charge corresponding to each bit, is probably not practical. Edited August 30, 2018 by Carrock small correction
Strange Posted August 30, 2018 Posted August 30, 2018 (edited) The ARM processor includes hardware security (Edit: as described in Carrock's post) so even if it were possible/practical to extract the entire contents of memory and emulate the entire device (which I doubt) you wouldn't be able to get at the encrypted data. 1 hour ago, iNow said: IMO it was to make the same attempts easier each time they desire to do so in the future. It also was a PR move to suggest they lacked capabilities to do it today. One - To keep their current secrets, subterfuge about existing capabilities. Two - Save time and make it easier in the future. Or ... the suggestion is just bollocks. Edited August 30, 2018 by Strange
fiveworlds Posted August 30, 2018 Posted August 30, 2018 Quote so even if it were possible/practical to extract the entire contents of memory and emulate the entire device (which I doubt) You just unsolder the memory chip from the board and place it onto a machine to copy it. Then you can solder the copied chip into the board. Strangeparts made a video about copying his iPhone data onto a new (much larger) memory chip. I don't know where you would buy the machine though. It is definitely possible.
Strange Posted August 30, 2018 Posted August 30, 2018 1 hour ago, fiveworlds said: You just unsolder the memory chip from the board and place it onto a machine to copy it. Then you can solder the copied chip into the board. Strangeparts made a video about copying his iPhone data onto a new (much larger) memory chip. I don't know where you would buy the machine though. It is definitely possible. I assume he either copied encrypted data or removed the password first.
StringJunky Posted August 30, 2018 Posted August 30, 2018 8 hours ago, iNow said: IMO it was to make the same attempts easier each time they desire to do so in the future. It also was a PR move to suggest they lacked capabilities to do it today. One - To keep their current secrets, subterfuge about existing capabilities. Two - Save time and make it easier in the future. In China, they ask to see the contents of your phone and you will comply.
Carrock Posted August 30, 2018 Posted August 30, 2018 (edited) 2 hours ago, fiveworlds said: You just unsolder the memory chip from the board and place it onto a machine to copy it. Then you can solder the copied chip into the board. Strangeparts made a video about copying his iPhone data onto a new (much larger) memory chip. I don't know where you would buy the machine though. It is definitely possible. 34 minutes ago, Strange said: I assume he either copied encrypted data or removed the password first. I didn't watch all the video but he appears to have taken a decrypted backup copy, fitted new bigger memory and restored from backup - no security issues. 7 minutes ago, StringJunky said: In China, they ask to see the contents of your phone and you will comply. If you've forgotten the password how do you comply? Edited August 30, 2018 by Carrock
StringJunky Posted August 30, 2018 Posted August 30, 2018 1 minute ago, Carrock said: If you've forgotten the password how do you comply? I'm sure they will find a place for you to reflect until you remember.
Sensei Posted August 31, 2018 Posted August 31, 2018 8 hours ago, StringJunky said: In China, they ask to see the contents of your phone and you will comply. Buy second phone just for international travel.. Dump of memory of device prior travel, disable the all transmission, don't use device, travel, dump of memory of device after travel. Comparison of these two, to find changes. If they differs, what are differences, which files and directories have changed... ? It could be infection from external source (not necessarily government of countries which you just visited)..
theresav fields Posted October 11, 2018 Posted October 11, 2018 Yes, It is true password is very important for our documents and systems and use of automatic software for password creation is a very risky task. So we use a strong password for our safety. I am an Itunes user and I have made a strong password with the help of Apple support and now my Itunes is secure from hackers
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now