Been hearing about c&c bots that infiltrate systems, however, is there a password-cracking bot? You don't need a powerful system (not breaking crypto), but millions of ip addresses. If someone wanted to break into a system, you would need a huge amount of iots, (lightbulbs would be great, but many share the same ip) that could try different passwords. Since most systems only notice (fail2ban, exim, apache, honeypots, etc) if you keep trying different passwords from the same ip (maybe google and other large ones would, but most don't), guess a flood of tries from all over wouldn't light up a red lamp.
Besides many systems have terrible password management, short passwords, only alpha, minimum size, etc. So an attacker could spend a little while figuring out the constraints to make the brute force attack faster (if it is an email server, you already have one of the two parts). Using a password manager wouldn't save you from this, only would take a little longer. If you can try millions of passwords an hour (you don't want to do a dos), you will eventually figure it out
Guess sqrl or the fido alternative would prevent this since you need a 256 B (4kB?) or larger to access them. However, when this becomes prevalent (and probably will if it isn't something yet), regular passwords will be dead. Who needs a quantum computer when you have millions of lightbulbs
Maybe using utf8 might help reduce the ease for something like this, but many systems choke with non-alphanumerics. Can only imagine using utf8 or other languages (Chinese, Japanese, etc.). Monkey123 isn't the same as Monkey123, and unless they have a reason to try utf8, they would stay in the extended ascii set. Maybe password managers need to expand to utf8 or utf16
Besides many systems have terrible password management, short passwords, only alpha, minimum size, etc. So an attacker could spend a little while figuring out the constraints to make the brute force attack faster (if it is an email server, you already have one of the two parts). Using a password manager wouldn't save you from this, only would take a little longer. If you can try millions of passwords an hour (you don't want to do a dos), you will eventually figure it out
Guess sqrl or the fido alternative would prevent this since you need a 256 B (4kB?) or larger to access them. However, when this becomes prevalent (and probably will if it isn't something yet), regular passwords will be dead. Who needs a quantum computer when you have millions of lightbulbs
Maybe using utf8 might help reduce the ease for something like this, but many systems choke with non-alphanumerics. Can only imagine using utf8 or other languages (Chinese, Japanese, etc.). Monkey123 isn't the same as Monkey123, and unless they have a reason to try utf8, they would stay in the extended ascii set. Maybe password managers need to expand to utf8 or utf16
Last edited:
