11
I read very recently that our password system is completely backwards. We encourage long passwords t...
since 8 years, 1 month ago
3 of 3
Tip Reveddit Real-Time can notify you when your content is removed.
your account history
Tip Check if your account has any removed comments.
view my removed comments you are viewing a single comment's thread.
view all comments
"Intelligence" does not factor into this at all. Your formulation is a bit curious; what do you think is different in a brute-force attack and, as you describe it, "an automated system [which] would just continually try random characters until it finally hit"?
To reiterate, it does not matter what the replacement rules are. Since they are known by the attacker, they construct the attempted passwords in the same way as you.
Nothing. That was my explanation of what I was calling a Brute Force attack. I didn't know if I was using the term correctly, so I described it. "Wherein" not "Whereas".
Let me try to explain why I think intelligence matters. To keep this very simple, lets say the rules are "Password must contact minimum 2 characters" and "One character must be a number".
What I am trying to call a Brute Force attack would be given those rules and then start with a1. If that doesn't work, b1. etc etc until it finally hits something. However, an intelligent attacker would know that I was born May 15th (not actually true) and my dog's name is Susie (not actually true), so may try Susie515 a lot sooner than the "non-intelligent" attacker would.
Thanks. I figured as much, as this is a common misconception when it comes to entropy estimation. From the top:
And conversely, an attacker that is brute-forcing passwords knowing YOUR birthday is May 15th, is attacking YOU, because that is the best way to spend their resources.