News AI Can Crack Most Common Passwords In Less Than A Minute

[brandonjclark]

You can only "instantly" break password when allowed an infinite number of attempts without time restrictions or lock-outs. If I was in charge of security, I wouldn't allow more than one attempt per 10 seconds and would lock an IP out for 5min after three consecutive failed attempts.

You'd be contacted by upper mgmt pretty quick for that. Did you have a change ticket? LOL

 

[neojack]

saying that 2FA is useless is like saying that you don't need an airbag in a car because you already have a seatbelt.
Then proceed to pointing out cases where people got injured in a crash despite having an airbag and a seatbelt

It's a fallacy called the "perfect solution fallacy"
https://en.wikipedia.org/wiki/Nirvana_fallacy

2FA is just another layer of security. it's in its name ! 2 Factor Authentification. it's not named "Perfect Factor Authentication" for a reason, because it is not. nothing is magic or perfect in this world. but 2 locks are better than one.

 

[spongiemaster]

To gain access to an encrypted .zip, ask the person you got it from.

Unless you were the person that created it in the first place and forgot your own password.

 

[s997863]

So instead of "password" I can just use "passwordpassword" to gain 23 years? that was easy ...

 

[PEnns]

So instead of "password" I can just use "passwordpassword" to gain 23 years? that was easy ...

Throw in a couple of uppercases and 2 numbers and it's unhackable (according to article)!!

 

[newtechldtech]

You can only "instantly" break password when allowed an infinite number of attempts without time restrictions or lock-outs. If I was in charge of security, I wouldn't allow more than one attempt per 10 seconds and would lock an IP out for 5min after three consecutive failed attempts.

You cant do this because some people forget alot with age and still need the critical data ... I think the best way is to enforce two steps verifications in case of many errors .

 

[lmcnabney]

This sounds cool and all, but I am a lot more worried about being drugged and the $5 wrench.

 

[jp7189]

If someone managed to get your servers' password file, you probably have more urgent things to worry about since the attacker already has elevated privileged access of some sort.

I don't love this reasoning. 1. Just because you have a weakness in one area doesn't mean you give up elsewhere, and 2. there are plenty of ways to recover a hash that don't require elevated privileges.

 

[jp7189]

2FA is completely useless. It is far too vulnerable to phishing. 2FA vulnerabilities have been pointed out so many times.

Phishing is the main way unauthorized access happens, for individuals and in the corporate world. 2FA being so vulnerable to phishing should make it a non-starter.

2FA is never implemented because of security reasons (it is useless at that), but it is implemented because it allows the likes of Google, Microsoft and Apple to link your smartphone/email to you, 2FA is enforced onto users to gather private data on users.

This is backwards. We need to limit the use of passwords and rely more heavily on other factors. 4 digit all numeral PINs are still considered secure on an ATM cards because you must be in physical possession of the card. It's the physical possession of an item that makes it work so well. Smart cards, Yubikeys, or software that can verify physical possession of a device like a mobile phone or laptop are very good factors. Combining that with a simple PIN that works on only that one physical device is a pretty good way to protect users; it's simple for them to remember and useless to a remote attacker. This is a better approach than amping up password length and complexity.

 

[InvalidError]

I don't love this reasoning. 1. Just because you have a weakness in one area doesn't mean you give up elsewhere, and 2. there are plenty of ways to recover a hash that don't require elevated privileges.

If someone got your password file once, you need to fix that on the most urgent basis since no amount of password changes will keep you safe until you find out how it got out and stop it from happening again.

 

[jp7189]

Given a clueless user that would follow such a link, nothing will save them.
2FA or no 2FA.

2FA does can prevent against standard brute forcing of the pwd.

There are some really great systems out there that work pretty well with just about anyone. On the consumer side, just look at Microsoft and Google's consumer apps. They use an authenticator on the phone that requires you to choose/enter the number displayed on the login screen. Easy for users to use and hard to circumvent. It's a major step up from the single "approve" button and lightyears ahead of email/text verification.

On the commercial side, physical keys like smart cards and Yubikeys for example are very good at protecting even the "toughest" users.

 

[jp7189]

If someone got your password file once, you need to fix that on the most urgent basis since no amount of password changes will keep you safe until you find out how it got out and stop it from happening again.

I agree, but it's not always easy to recognize when a password has been compromised.

 

[LanceRM]

You can only "instantly" break password when allowed an infinite number of attempts without time restrictions or lock-outs. If I was in charge of security, I wouldn't allow more than one attempt per 10 seconds and would lock an IP out for 5min after three consecutive failed attempts.

Exactly! The fact that it "broke" a 4 character password of all digits "instantly" means it can count from 0000 to 9999 very fast.
Not real-world applicable at all.