passwords and bots

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

a viewer

Well-known member
Sep 30, 2020
85
27
Been hearing about c&c bots that infiltrate systems, however, is there a password-cracking bot? You don't need a powerful system (not breaking crypto), but millions of ip addresses. If someone wanted to break into a system, you would need a huge amount of iots, (lightbulbs would be great, but many share the same ip) that could try different passwords. Since most systems only notice (fail2ban, exim, apache, honeypots, etc) if you keep trying different passwords from the same ip (maybe google and other large ones would, but most don't), guess a flood of tries from all over wouldn't light up a red lamp.

Besides many systems have terrible password management, short passwords, only alpha, minimum size, etc. So an attacker could spend a little while figuring out the constraints to make the brute force attack faster (if it is an email server, you already have one of the two parts). Using a password manager wouldn't save you from this, only would take a little longer. If you can try millions of passwords an hour (you don't want to do a dos), you will eventually figure it out

Guess sqrl or the fido alternative would prevent this since you need a 256 B (4kB?) or larger to access them. However, when this becomes prevalent (and probably will if it isn't something yet), regular passwords will be dead. Who needs a quantum computer when you have millions of lightbulbs

Maybe using utf8 might help reduce the ease for something like this, but many systems choke with non-alphanumerics. Can only imagine using utf8 or other languages (Chinese, Japanese, etc.). Monkey123 isn't the same as Monkey123, and unless they have a reason to try utf8, they would stay in the extended ascii set. Maybe password managers need to expand to utf8 or utf16
 
Last edited:
list of common "passwords"
Didn't meant a dictionary attack, but brute force. There is nothing that would limit an army of zombies from trying out passwords to see if any works. Would imagine their first go would be a dictionary of passwords in case one fits.