Quote:
|
Originally Posted by TheDoc
Hehe, yeah, personal accounts can be brute force attacked, without much of problem.. Even more so when you guess a username on pennywize, and it tells you if it's active or not even if the pw is wrong. So then they just need to hammer the username for the pw combo..
Not hard when they have a million word dictionary files.
|
Actually it is very hard and you possibly have never tried it.
#1 If the word isn't in the dictionary it can't be bruteforced since it isn't ever tried (it is not in the list).
#2 With a 3mb connection the best you will be able to do is about 80,000 an hour. If you DID try it that many times an hour, your list of 2000 proxies would begin to be blocked in about 20 minutes or so. At this speed it would take 12.5 hours to try 1,000,000 passwords... and that is per user...
Cracking websites is like stealing cars. If you can spend another 10 minutes to find one without a tracking system, steering wheel locking system or alarm, it is worth it to avoid 4 years in prison. If you can find a website that uses basic authentication and has a large pool of users it is better than a form based login to a site with 200. But if you know how to disable alarms and tracking systems it is like being able to just steal the password file. It is easier than spending 12.5 hours PER USERNAME....
If he had MULTIPLE users with VIP passes, then he was hacked.