You’ve got it mixed up a bit. Changing passwords doesn’t help against brute force attacks. It protects you from password reuse, i.e. yourself.
Sometimes password databases get leakes and if you use the password on some other service, you’re vulnerable.
No-one does pure bruteforce attacks as you describe, instead they are usually dictionary attacks of most common passwords and variants of them. Also no-one targets your personal account unless they have reason to believe they know your password, for example from a leakes dataset from another site containing your email/username and password.
Instead they try target the service itself to capture the database to do exactly what I described or what ever the fuck they want.

>>107700153
bruteforce attacks are irrelevant and non existent in the age of captcha and rate limits
who gives a fuck

>>107700153
the first two answers cover most of the scenarios.
for actual hash-cracking, length is the only thing that matters. anything over 12 requires cluster rental, and nobody is throwing that many resources at getting your pornhub password.

>>107700371
fair point, I should've figured

>>107700343
>don't re-use passwords due to potential leaks on one or more service
yep, fair enough, I guess that's the only important thing left, but I do wonder about partial reuse and whether or not a leak in one place will just get blindly mass-re-tried on other services, then.

if I have, say, my Twitter password be something like "MelonGardenTwitterPass", and then have my LinkedIn be "MelonGardenLinkedInPass", which is basically re-using the same phrase as my password in multiple places, but only adding platform-specific differences that are tied to the service name itself so that it's still easy to remember.. is that fine? I know any individual hacker with half a brain could know how I'm working and adapt to guess my credentials in other places, obviously. but what often happens after a leak, then? surely if they get their hands on thousands of entries in an entire dataset of emails and passwords on a service, they will just blindly try the bulk of it elsewhere without changing it up or scrutinizing how a single user makes their passwords?

File: password_strength_2x.png (209 KB, 1480x1202)

209 KB PNG

>>107700153
>but do they really work that way?
They *can* do.

> is it that systematic?
Pretty much.
The precise system deployed probably depends on the attacker. Some might choose to start at 'ZZZ'. Some might have additional data that augments the sequence, say a list of leaked passwords that would indicate which combinations are more common...

>security tips always just say "change your passwords often so that you don't get brute-force attacked"
Now prove to me you are not about to rotate it to their next guess.
Your 'best' bet here is to use something that would be improbable to guess, and unfeasible to brute force. I tend to reference randal here, so picrel.
'Common patterns' like {pet}{food}{year} will increase a 'raw brute force', but in this age of leaking data everywhere a touch of OSint *could* feasibly fill out some question in a social engineering toolkit and output some likely combinations. Reducing number of guesses.

>in what order do these things try guesses
Depends. Is the list pre-existing or is it being generated on demand?
Anywhere 'sensible' takes measures to prevent brute force, so a lot of this happens via a botnet. You can try 1 password then trigger protection with one machine, 10,000 machines try 10,000 passwords before triggering. Sensibly, they wouldn't all be starting the attack on 'AAA'. It's reasonable to expect 'AAA' 'GGG' 'NNN' and 'ZZZ' all to be attempted at the same time, from seperate places, as part of the same run...

>how should I change my passwords to work around it?
Picrel.

> should all my passwords start with Z from now on?
Why not start with a character that doesn't actually appear on the keyboard?

>should all password changes be wildly different from what it previously was?
Only if the previous password was discovered. Each should have it's own unique anyway.
Use a password manager you can trust, like keypassxc, then realistically you only actually need to remember one strong password and the machine handles the rest

>>107700371
>and non existent in the age of captcha and rate limits
Evidence strongly suggests otherwise.

>>107700444
huh. makes sense, good to know then. I do vaguely remember seeing that, and kept my passwords long for a good while since then. sadly some of these goddamn services put a character limit on password length sometimes to save up on storage. doesn't help that the platform itself asks for specific things like "your password must contain a number or symbol" on account creation. I know it makes everyone add on stuff to their passwords to make it more unique, but that removes quite a bit out of the pool of possible guesses when it's a hard rule, surely?

>>107700511
>services put a character limit on password length sometimes to save up on storage.
If they have issues with storage that mean a few bytes of password are unfeasible, they likely have bigger things to worry about.

Additionally, they shouldn't actually be storing your password... Common practice is to hash the password, and store the hash. Depending on hash methodology, they should all have the same length entries regardless of the input pass...

>doesn't help that the platform itself asks for specific things
Long proven untrue to enhance security. Strongly indicates that platform doesn't take security seriously when it's parroting best-practices from the late 90's.

>but that removes quite a bit out of the pool of possible guesses when it's a hard rule, surely?
The opposite, in fact.
I can instantly eliminate all combinations that *don't* feature that pattern....

It's twofold.
You are thinking about brute force wrong.
No one brute forces some login prompt. Instead, websites get hacked and databases get leaked.
In the databases are your username, email, and a hash of your password.
The hash is one way, you take your password and it one way converts it to a string of like 32 or so random characters using a math equation.
Every time you type the password, it gets put into an equation, and then the result is compared with the value in the database.

So you can just brute force that, generate and hash a billion passwords a second and compare them with the known hash until you get a match.
Literally multiple billion times a second for some of the common hashes.

But changing your password often and using different passwords for every service is the best solution, because once one gets leaked, it should be changed, regardless of how difficult it is. Completely just protects from immediate access or delays from the leak being announced.
Unfortunately when a company gets "hacked", depending on the data sensitivity, they have either 6 months to report it or they don't even have to report it. So that's where changing it often and keeping complex passwords comes in.

>>107700153
Here's the thing. They don't work like that. How it actually works modernly is there's giant files of millions of passwords. What hackers do is they sort by most commonly used and run the brute force. The reason security people advice you to change your password more often is because once one of your accounts is hacked it'll be posted online in some hacker discord or whatever. Most general hackers (indians) will take your email and password and try and use it to login to some other site like coinbase, or paypal, or whatever. So the actual reason it's recommended you change your password is because once your information is leaked it'll be associated with a certain hacked password and changing it mitigates all the bots that try to auto login to shit with it.

https://haveibeenpwned.com/Passwords

>>107700589
>No one brute forces some login prompt
Evidence suggests otherwise

>websites get hacked and databases get leaked.
And these details are augmented to lists to attempt.

>generate and hash a billion passwords a second and compare them with the known hash until you get a match.
Or just use a rainbow table...

>But changing your password often and using different passwords for every service is the best solution,
Untrue.
Using seperate passwords is good security. Rotating frequently, not so. It's been proven to cause difficulties in recollect and demonstrates no evidence that what it's being rotated to is any more secure than what it's rotated from...

>So that's where changing it often and keeping complex passwords comes in.
Just unique should catch that.

>>107700589
>>107700641
what if the difference is, again, literally only the service name? like >>107700422 ... is that stupid but good enough to protect against one place being leaked, since, again, most hackers might just be trying the same stuff on different places as-is without changing it whatsoever?

>>107700542
>I can instantly eliminate all combinations that *don't* feature that pattern....

and yeah that's my point. the sites are dumb when they ask that because they're doing half of the hacker's shitty work for them. I just think it should be optional tips; instead of an enforced, hard, rule. because otherwise, now they have less tries they need to do. as you said, eliminated possibilities

>>107700682
>most hackers might just be trying the same stuff on different places as-is without changing it whatsoever?
doubtless that occurs.

>literally only the service name?
Strikes me as common enough to be able to pattern out... and why the service shouldn't feature in the password/passphrase. It should be entirely random...
But such a rotation would be 'better' than no rotation...

File: bullshit.jpg (47 KB, 720x439)

47 KB JPG

how are you even going to bruteforce an API? Yeah just spam 9999999999999999 api calls without anyone noticing.

>>107700444
Except that picture is BS because it assumes information that an attacker does not have.

>>107700764
>how are you even going to bruteforce an API?
Slowly.
From a lot of different places to up the attack rate...

>>107700764
>>107700780
Luckily, there's a lot of winXP systems in the field that give a lot of residential ranges in 'prime' areas that make blanket blocking unfeasible...
Win10 botnet populations are growing rapidly now too...

>>107700784
okay but that's pretty gentleforce

File: 1766803705315504.jpg (54 KB, 976x850)

54 KB JPG

>she fell for the password entropy meme
all that matters is password length and that you use a different password for each site. if someone knows the exact length of your password and the logic used to contruct it then you are already raped

>>107700797
You underestimate the scale at which different directions are applied...

>>107700422
>is that fine?
No.

It is likely they will do a find-and-replace on any passwords containing "Twitter".
Same with changing numbers: they change any numbers and increment/decrement them so if you used "password7" they will also try "password5", "password6", "password8" and "password9".

There is specialized software that does all sorts of mutations on password lists.
I haven't kept up but I'll bet modern versions use AI to look for any common mutations people make in their passwords.

t. used to crack porn sites when I was a teenager.

>>107700872
>use AI to look for any common mutations
It has been seen.
Also using AI to proactively seek exploits, tho mostly in the lab, and a few 'specialists', expect it to explode.

>used to crack porn sites when I was a teenager.
Half the time back then a simple directory traversal could yield more than an unlocked account...

File: duckling-floating-on-water.jpg (16 KB, 612x408)

16 KB JPG

>>107700872
>>107700898
instead of stressing the last 2 neurons in your head larping you should check yourself into a retirement home. you can tell the immigrant workers abour how you hacked the planet in anonymous 30 years ago

>>107700542
>platform doesn't take security seriously when it's parroting best-practices from the late 90's.

Unfortunately the vast majority of platforms do that.
Specifically they haven't read https://pages.nist.gov/800-63-4/sp800-63b.html#password

>>107700764
Yeah just ask meta, they were resolving 100M API calls per hour from a single IP recently.

>>107700872
welp, fuck, back to the drawing board and time to update my passwords then. I should've expected hackers to have Find-and-replace of some sort in their tool belt. guess that's on me for thinking otherwise.

>>107700959
Touched a nerve have I?

>>107700991
Just use a password manager.
It is by far the most secure and easiest to use method of organizing your password.

>>107700959
>check yourself into a retirement home
I retired ages ago, chump. While I still live in my own home. Y'can do that when you're good at what you do.

>>107700981
>Unfortunately the vast majority of platforms do that.
Worse, they fail to offer legitimately secure options, like x.509 .... That could have been 'normalised' decades ago...

>>107700991
>I should've expected hackers to have Find-and-replace of some sort in their tool belt
Yup. Aint a new toy.

>>107700641
>The reason security people advice you to change your password more often is because
...because they don't know what they are doing and should be send back to India.

From NIST sp800-63b (note rule #6):

Password Verifiers
The following requirements apply to passwords.

1 Verifiers and CSPs SHALL require passwords that are used as a single-factor authentication mechanism to be a minimum of 15 characters in length. Verifiers and CSPs MAY allow passwords that are only used as part of multi-factor authentication processes to be shorter but SHALL require them to be a minimum of eight characters in length.
2 Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
3 Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
4 Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
5 Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6 Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.
7 Verifiers and CSPs SHALL NOT permit the subscriber to store a hint (e.g., a reminder of how the password was created) that is accessible to an unauthenticated claimant.
8 Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
9 Verifiers SHALL request the password to be provided in full (not a subset of it) and SHALL verify the entire submitted password (e.g., not truncate it).

>>107700153
Any sensible website would temporarily ban you from attempting to log in after X number of failed attempts so brute force attacks are useless and nothing you need to worry about

>>107701052
>in after X number of failed attempts
Gee. It's a good thing there isn't a plethora of stupid fucknuckles that take regularly exploited things like WinXP and IoT online to join the botnet so they can take lots of swings from lots of places at the same time or your entire premise would be made to look as flaccid as your penis.

>>107700343
they wont brute on websites but malware may on your pc to get admin.

>>107700153
You can think of your password as armor and "brute force" as a .22 bullet.
A simple dictionary attack is like 9mm.
And a targeted personal attack where they will collect all your personal information and hobbies, names of loved ones and pets etc. is like a 30-06.

If your "armor" can't stop a .22 it can't stop a 9mm or 30-06 either.
If you can't even stop that you are absolutely fucked in the real world where nobody uses anything less powerful than 9mm.

>>107701092
>they wont brute on websites
Evidence suggests otherwise.

>malware may on your pc to get admin.
A legitimate threat vector. Unfortunately, most users tend to go out of their way to enable this so there isn't much of a 'good' solution other than restricting what the user can do, commonly with their own hardware, which should be viewed as unacceptable...

However. A sensible structure *should* limit the ability of malware to traverse beyond the scope of the currently logged in user. Again. The user commonly goes out of their way to circumvent this, too.

>>107701115
>Evidence suggests otherwise.
OK, show us the "evidence".......

>>107700444
not only does this totally misunderstand brute forcing/dictionary attack, but it also explains entropy wrong and assumes "hackers" are manually guessing passwords on top of that. randall is a fucking hack who doesnt understand the water cycle

>>107701119
If you'd ever read the logs to any internet connected system, you really won't take long to see some.

But as you're trying so hard to signal your knowledge deficits, and retardation, allow me to do your incredibly easy google search for you.

For a generic overview, try: https://www.spiceworks.com/security/what-is-botnet/#_003

For a specific example: https://www.cpomagazine.com/cyber-security/microsoft-365-accounts-being-hit-with-hard-to-detect-wave-of-password-spraying-attacks/

>>107701130
>and assumes "hackers" are manually guessing passwords
at a rate of 1000/second?
I've been accused of sounding like a machine gun when I'm at the keyboard, but not even I'm that fast....

The core tenents of his posit stand true.

>>107700153
>"change your passwords often so that you don't get brute-force attacked"
This is bullshit.