Mineria:

This is how it works in AD environments etc., keep in mind that passwords are used for more important things than random websites, but anyway: Most of the websites where things get serious offer 2FA, plus that most of their owners always run with up-to-date security measures, then comes one-way encryption instead of storing everything in a database, salting and/or using 3rth party logins with authorization tokens. And you can enable things like x amounts of seconds between login retries, x amount of failed login retries before lockout and some other security measures on websites too. Only noobs have sites with hashed passwords these days.

All sites have the hashed pw's and the information to turn a plain text string that you typed in, into a hash - how do you think they authenticate you? It would normally be in a database, there's plenty of ways that hackers break into databases. Once in they do a database search to get all user names and password hash's, they take that and save it to a file. They then use that file of hashes and their 4090's to decript as many of the pw's as they can - which they do by one way encripting potential passwords and testing if it matches the hash. This isn't "random" websites either - everytime you hear of a data breach of some famous company assume the key thing hackers are looking to get out are the user name and password hashes.

Dribble:

All sites have the hashed pw's and the information to turn a plain text string that you typed in, into a hash - how do you think they authenticate you? It would normally be in a database, there's plenty of ways that hackers break into databases. Once in they do a database search to get all user names and password hash's, they take that and save it to a file. They then use that file of hashes and their 4090's to decript as many of the pw's as they can - which they do by one way encripting potential passwords and testing if it matches the hash. This isn't "random" websites either - everytime you hear of a data breach of some famous company assume the key thing hackers are looking to get out are the user name and password hashes.

Read up on one-way encryption, no, those passwords are not hashed nor stored in a database and this method is used for websites where security is taken seriously. One-way encryption prevents even the company's administrator to retrieve passwords! For those who still use databases there is the option to use password salting, good luck on guessing those random strings. As for those famous companies that are breached, they have noobs to handle their security, regardless of it being a hacker that breaks in or if it is done as an inside job.

Jason5551:

stop talking nonsense people, after 5 failed attempts on important apps or sites lock the account. the odds of 4090 getting the right password in first 5 attempts is highly unlikely.

Yes if you target only one account... But if you target a huge list of account you will get some, it's volume statistic... It's like the spam you sometime have in your mail: you will never read them of course. But the reason why they still do it is that some do it and they grab money from their victim.

Mineria:

One-way encryption prevents even the company's administrator to retrieve passwords!

With 1 way, even people that are NOT from the company can retrieve the company's administrator passwords (personal pro experience 🙂 )

Mineria:

Read up on one-way encryption, no, those passwords are not hashed nor stored in a database and this method is used for websites where security is taken seriously. One-way encryption prevents even the company's administrator to retrieve passwords! For those who still use databases there is the option to use password salting, good luck on guessing those random strings. As for those famous companies that are breached, they have noobs to handle their security, regardless of it being a hacker that breaks in or if it is done as an inside job.

I think it's still you that don't understand, hashing is one way encription. It means there is no way to decript something that has been encripted. That hash is stored and this method is used by pretty well all companies. The whole point of this thread is the use of gpu's to work out the plain text pw from a file full of one way encripted pw's that have been got from hacking some company. Explaining again, while you can only encript the pw, obviously if you know what the pw is and ecript it then you get the binary hashed value. This is how the site athenticates you - you type in the pw, it uses the encription (which is one way) to get the hashed value from the plain text you typed in and compares the hashed value for the pw you typed in too the one it has stored for you. If they match you are in. Gpu's crack this by encripting in the same way literally every possible 8 character string, as well as numerious other combinations based off a dictionary of words and standard replacement rules (eg. ! for 1). Each one of these billions of combinations generates a hash that they match against the hashes for pw's they got by hacking that company. If you get a match you now have the plain text pw even though it was one way encripted.

Dribble:

The whole point of this thread is the use of gpu's to work out the plain text pw from a file full of one way encripted pw's that have been got from hacking some company.

Yes! This is not about the kid down the street brute forcing your wifi or your netflix account.

For those who are interested, this is a great video, it's a few years old, but concepts haven't changed: [youtube=7U-RbOKanYs]

rl66:

With 1 way, even people that are NOT from the company can retrieve the company's administrator passwords (personal pro experience 🙂 )

Something is not done or updatet in line with best practices in such case.

Dribble:

I think it's still you that don't understand, hashing is one way encription. It means there is no way to decript something that has been encripted. That hash is stored and this method is used by pretty well all companies. The whole point of this thread is the use of gpu's to work out the plain text pw from a file full of one way encripted pw's that have been got from hacking some company. Explaining again, while you can only encript the pw, obviously if you know what the pw is and ecript it then you get the binary hashed value. This is how the site athenticates you - you type in the pw, it uses the encription (which is one way) to get the hashed value from the plain text you typed in and compares the hashed value for the pw you typed in too the one it has stored for you. If they match you are in. Gpu's crack this by encripting in the same way literally every possible 8 character string, as well as numerious other combinations based off a dictionary of words and standard replacement rules (eg. ! for 1). Each one of these billions of combinations generates a hash that they match against the hashes for pw's they got by hacking that company. If you get a match you now have the plain text pw even though it was one way encripted.

Hash is designed to be fast and stores plain readable passwords, you do not want to use that for passwords, that is where salting and encryption comes in. Some still use old crap like MD5, SHA-1 etc., Cisco and other big players have been preaching that this isn't good enough for years, some of the big companies that got hacked didn't pay attention to the rest of the industry, hence why I say they are noobs.