When an attacker believes that their target does not use secure passwords, they can use tools that compare the digest of the target’s password to any of the precompiled lists containing the digests of the most commonly used passwords.

Question: what happens under the hood (hardware and software) when the attacker knows that their target does use secure passwords, possibly using a password manager to deploy passwords of, let’s say, 30 characters, whose digests do not occur on those precompiled lists? Do they “simply” have the computer brute force every permutation? For a 30 char passwd using all the upper and lower case characters on an “English” keyboard (a-Z, 0-9, ~ - ?) (94 total), that would entail running 94ˆ30 permutations.

Am I missing something?

  • slazer2au@lemmy.worldEnglish
    4·
    4 days ago

    The attacker could brute force it. Or they can make a phishing page to try and get the user to enter in their password.

    1. An attacker would get a similar enough looking domain and mimic the target login page using something like EvilNginx
    2. The attacker would send a fake email to the victim while looking as legit as possible. Saying something like too many login attempts have been detected, please use this URL to confirm your account, or your password is expiring please use this URL to update it. That sort of thing.
    3. The victim would click the URL going to the attackers login page and enter in their details.
    4. The attacker now has the valid login credentials.