I keep reading about situations where a hacker could \"easily\" brute force a pa
ID: 661558 • Letter: I
Question
I keep reading about situations where a hacker could "easily" brute force a password (most recent example) but I'm confused about when some has an opportunity to do this kind of thing. If it is a website/web service, aren't attempts like this rate limited? I.e. I can't try my Amazon password 50 million times per second, even if my internet connection were more awesome than it is.
What needs to happen for someone to even have the opportunity to brute force their way into a system? And if systems can effectively throttle attempts to dozens or fewer per minute why is there such an emphasis on saying that GPU attacks can generate millions or billions of passwords per second if these are effectively useless?
Explanation / Answer
Mass brute force is usually done after the attackers have somehow seized a list of hashed passwords. This can happen in several situations; most common being:
A SQL injection attack which allows attackers to push some more or less constrained SQL expressions to be evaluated by the target database. Depending on the site structure and local constraints for the attack, attackers might not be able to do what they wish with the database, but still be able to dump some parts of it.
Data is extracted from a discarded medium, e.g. an old hard disk; possibly an electronically broken hard disk, that the attacker retrieves from a dumpster and repairs.
Indelicacy from an employee or intern, who stealthily grabs a copy of the database and stores it on a USB Flash drive.
The common trend here is that cracking passwords is used to extend an attack:
The third point is probably the most common motivation for attackers.