Yes, hence it will not be effective, as in, there is no reason to do it, because
by the time the plaintext is found you won't be able to use it.
Who knows, bruteforcing doesn't have to be linear, you can make random jumps too and hpe you get lucky. Also there are combinations of bruteforcing and dictionary attacks that might be more effective.
Anyway, you'd still get the passphrase some day, be it still in use or not.
Some companies tend to use things like "password1" and then just move on to "password2" after say a month. You might be able to guess the current pass based on the pass you found.
It's also possible that they simply don't change the pass.
Heck, it might take you a hundred years to crack the pass, but if you're a "ûber 1337" hacker, you might also be familiar with distributive processing. I find that scene in Operation Takedown, where Mitnick takes command of the whole computer pool to do his dirty work, hilarious.
quote: TwoD said:
Who knows, bruteforcing doesn't have to be linear, you can make random jumps too and hpe you get lucky.
You always hope to get lucky when brute forcing. I don't see how random jumps would help, rather the opposite, since there is a probability that you try the same key twice (or more).
quote:Also there are combinations of bruteforcing and dictionary attacks that might be more effective.
A good passphrase would never be vulnerable to dictionary/hybrid attacks.
quote:Anyway, you'd still get the passphrase some day, be it still in use or not.
Yes, but the probability that you find a good passphrase during your lifetime is close to non-existent.
quote:Some companies tend to use things like "password1" and then just move on to "password2" after say a month. You might be able to guess the current pass based on the pass you found.
Yes, this is why companies should have good password policies, which forbids this.
You always hope to get lucky when brute forcing. I don't see how random jumps
would help, rather the opposite, since there is a probability that you try the
same key twice (or more).
You would obviously keep track of which combinations have been testes to avoid that.
I'm just making suggestions here, I've never needed to bruteforce a pass so I don't really know which methods would be most effective.
quote:A good passphrase would never be vulnerable to dictionary/hybrid attacks.
Who said everyone uses good passphrases, even if they are supposed to?
I know for sure I don't at all times, but that's my problem...
quote:
Yes, but the probability that you find a good passphrase during your lifetime is close to non-existent.
Not if you have the right resources. You'd have to be really desperate to do it with a single machine. I guess you missed my last paragraph about that. :P
Anyway, the possibility to crack the pass using bruteforcing is very real, no matter if it takes time or not. If it's still valid is a different matter.
quote: TwoD said:
You would obviously keep track of which combinations have been testes to avoid that.
Well, that sounds like an even worse idea, since you would have to constantly check if you've tried that key already. Not to mention the memory requirements.
quote:Who said everyone uses good passphrases
Good passphrases is at least what I've been talking about all along.
quote:Not if you have the right resources. You'd have to be really desperate to do it with a single machine.
But still, even if you use a distributed attack, it would take _a lot_ of time to crack a good passphrase (say, a 20 character long [truly] random string, using upper/lowercase letters, numbers and "special characters", using a realistic distributed attack. You do the math )
Already did do the math. It would take me about 12 billion years (if I remember the correct numbers) to crack an 8 character passphrase using the JavaScript bruteforcer I wrote to show a friend how it works.
It had to reload a page between each combination, otherwise it might have been slightly faster lol
Forget about random jumps, I explained that idea in a bad way...
In any case, I'm just messing with ya HZR, but you kept shooting holes through my arguments without showing mercy so I had to go on for a while lol
I totally agree with the fact that pure bruteforcing would get you nowhere (in a reasonable amount of time), unless the target doesn't change passphrases, and you're way better of with more "circumventive" methods.
Still, it's cool to see a Hollywood-style bruteforce attack succeed in a matter of minutes
Guys, nobody cares about your passphrase or it's length for that matter, and a skilled network pro
will be in no matter the passphrase, and in no time.
(God, I swear, I tried to spread the word, tried to warn them, tried to inform them. I did my best. HZR's on a
"hacking is all about brute-force and it doesn't work on WPA because WPA's invincible" rampage.
Please, send us the holy nurse, *any nurse*, we have a meds balancing issue in this wing)
_Mauro: I think you missed that both me and HZR agreed on that there are easier and smarter ways to gain access than to brute-force the way in... do I still get those meds adjusted?
I think I need it since I, being hyper-active right now, decided to try bruteforcing my own wireless. I need something stronger to keep me typing 50 combos/minute, I want to finish before I die, please...
...
Oh, you mean it can be automated? Doh...
Guys, nobody cares about your passphrase or it's length for that matter, and a skilled network pro
will be in no matter the passphrase, and in no time.
(God, I swear, I tried to spread the word, tried to warn them, tried to inform them. I did my best. HZR's on a
"hacking is all about brute-force and it doesn't work on WPA because WPA's invincible" rampage.
Please, send us the holy nurse, *any nurse*, we have a meds balancing issue in this wing)
I think you're on a "misunderstanding is all I do, and that's what I'm best at" rampage. Or something like that. Please at least _try_ to read the whole thread.
posted 03-28-2006 13:08
I guess you missed my last paragraph about that. :P
