THIS RIGHT HERE.This will of course be a problem for encrypted local files (like partitions or password databases etc.) unless access can somehow be forced theough th eapplication that created the encrypted file.
What I don't understand his why things like Fail2Ban or at least forced delays between retries aren't more common than they are.
Heck, by forcing even a single second between password retries you can all but eliminate the problem of brute force password attempts, and it is stupid simple to implement. It ought to be a requirement for all things that require a password.
The issue is when they get a copy of the hashed user/password list, like the old passwd file on linux systems, or a database dump of the user table.Heck, by forcing even a single second between password retries you can all but eliminate the problem of brute force password attempts, and it is stupid simple to implement. It ought to be a requirement for all things that require a password.
If you have the table with all of the passwords encrypted, you're not cracking every one. You're running them via a set of known ciphers to determin what the encryption key is, THEN you decrypt them all in mass. That's actually the bigger problem with simple passwords. That simple password is FAR easier to verfiy than what looks like a hash key as a password. THAT is why they don't want people using simple word passwords even if horseboatcarcat is harder for a machine to decrypt. It's about discovering the key that is the issue.The issue is when they get a copy of the hashed user/password list, like the old passwd file on linux systems, or a database dump of the user table.
Yeah, the passwords are all hashed and crypto-whatevered, but you bypass all the other security features and can just run brute force on them all day long.