News Nvidia RTX 5090 can crack an 8-digit passcode in just 3 hours

[palladin9479]

Brute forcing passwords is a game for academics and novices, nobody does this in the real world.

The reason is that the attacker does not know the complexity and therefore the bits of entropy they need to overcome. Because of that they need to attempt all possibilities against maximum entropy, which is a fools errand. Other attack vectors like social engineering and spear phishing yield faster and more consistent results.

 

[Heiro78]

This article is about offline password cracking. If you're hitting a live service you won't even need a GPU, regardless of whether accounts get locked.

What are examples of offline passwords?I thought even non-internet connected devices had a number of attempts limit before time limited locks are enabled

 

[USAFRet]

What are examples of offline passwords?I thought even non-internet connected devices had a number of attempts limit before time limited locks are enabled

This is copying a whole corpus of passwords from somewhere, and possibly the hash, and decrypting against that.


An 'encrypted pwd of ^%$&^*$#(* decrypts out to "Password00001".

 

[DingusDog]

Not to mention it's brute force. Most accounts requiring passwords lock themselves after a set number of attempts.

TL,DR? They're decoding hashes not attempting to enter the passwords.

 

[bill001g]

TL,DR? They're decoding hashes not attempting to enter the passwords.

That's why these click bait article titles get so much attention. The more average person does not know that FIRST you must steal the encrypted password file and then you can attempt to crack it. So like many of these articles it assumes you have done the first step and that might require physical access like many of the so called CPU hacks where you must have physical control of the device.

 

[randomizer]

That's why these click bait article titles get so much attention. The more average person does not know that FIRST you must steal the encrypted password file and then you can attempt to crack it. So like many of these articles it assumes you have done the first step and that might require physical access like many of the so called CPU hacks where you must have physical control of the device.

No need for physical access. Vulnerable systems are compromised over networks all the time and databases are sold cheaply online. We had a great example here in Australia in 2022. One of our largest telecommunications companies had an API exposed to the public internet that didn't require authentication and returned customer records, including the usual personal information, plus details from identity documents in some cases. There were potentially more than 9 million affected customers; that's about a third of the population. Forget about password hashes, this is the good stuff.