Damn, lost everything....
" People are nowhere near as random as they would like to think they are. Sites often have restrictions against using dictionary words or common names, and require you to insert a number or special character, so people will take their preferred word or name and substitute, say, the number 0 for the letter o, or 4 for a. These substitutions are so common that they add only the illusion of security, and can be easily accounted for by anyone making a serious brute force attempt. There is an interesting little tool called passfault which estimates, roughly, the time it would take to crack a password. It takes into account words in many languages, reversals, common misspellings, substitutions, insertions, and so on. Many people who try it find out that their personal system for generating strong site passwords is, in fact, completely ineffective. Anyway, brute forcing is rarely used unless an attacker wants to target a specific account. More often, accounts are compromised en masse via keyloggers, hacking of another site, phishing, etc. They put all the compromised account info on a big list, and then sell it to others who will use it to get into other accounts owned by the same people on dozens of other sites (games, paypal, amazon, online banks and brokerages, etc). So these kind of hacks usually happen on a large scale rather than targeting just one service or site or person. It's easier and more efficient to get into the accounts of 100,000 people who have poor security than trying to manually break into the accounts of 100 people who have good security. |
|
