passwords and bots

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

a viewer

Well-known member
Sep 30, 2020
89
19
Been hearing about c&c bots that infiltrate systems, however, is there a password-cracking bot? You don't need a powerful system (not breaking crypto), but millions of ip addresses. If someone wanted to break into a system, you would need a huge amount of iots, (lightbulbs would be great, but many share the same ip) that could try different passwords. Since most systems only notice (fail2ban, exim, apache, honeypots, etc) if you keep trying different passwords from the same ip (maybe google and other large ones would, but most don't), guess a flood of tries from all over wouldn't light up a red lamp.

Besides many systems have terrible password management, short passwords, only alpha, minimum size, etc. So an attacker could spend a little while figuring out the constraints to make the brute force attack faster (if it is an email server, you already have one of the two parts). Using a password manager wouldn't save you from this, only would take a little longer. If you can try millions of passwords an hour (you don't want to do a dos), you will eventually figure it out

Guess sqrl or the fido alternative would prevent this since you need a 256 B (4kB?) or larger to access them. However, when this becomes prevalent (and probably will if it isn't something yet), regular passwords will be dead. Who needs a quantum computer when you have millions of lightbulbs

Maybe using utf8 might help reduce the ease for something like this, but many systems choke with non-alphanumerics. Can only imagine using utf8 or other languages (Chinese, Japanese, etc.). Monkey123 isn't the same as Monkey123, and unless they have a reason to try utf8, they would stay in the extended ascii set. Maybe password managers need to expand to utf8 or utf16
 
Last edited:
list of common "passwords"
Didn't meant a dictionary attack, but brute force. There is nothing that would limit an army of zombies from trying out passwords to see if any works. Would imagine their first go would be a dictionary of passwords in case one fits.