I am familiar with how offline brute-force attacks work. But for online accounts, assuming no social engineering, how feasible is it to brute-force attack a password? For example, is this dependent upon password complexity, or possibly some other vulnerability, like eavesdropping on SSL/TLS handshakes?
Asked
Active
Viewed 853 times
-4
-
1it seems the question is too broad. Online account has different password policy on different platform. Every platform has it own policy on password retry. – neo Jun 10 '13 at 04:12
-
I edited it down. Hopefully it looks like a coherent question now. – T. Webster Jun 10 '13 at 05:12
-
1To answer your last question (I'm surprised that it's coming up a lot recently). [How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?](http://security.stackexchange.com/questions/6290/how-is-it-possible-that-people-observing-an-https-connection-being-established-w) – Adi Jun 10 '13 at 05:24
-
I edited again to make title match question. – T. Webster Jun 10 '13 at 05:30
1 Answers
4
Online bruteforce attacks against a properly designed system is probably unfeasible against all but the weakest passwords.
This is due to the fact that online systems can implement a wide array of rate limiting techniques that will limit the number of attempts the attacker has to guess the password of a single account.
Of course there are some techniques available to try and circumvent the rate limiting techniques such as trying a single password against multiple user accounts or distributing the login attempts among multiple IP addresses to try and get past IP bans. However, I'm not sure about the effectiveness of such techniques.
There is another factor that limits the effectiveness of online bruteforce attacks. The limiting factor in such attacks usually isn't the processing power that can benefit from large GPU farms. The limiting factor usually is the network. Each individual network interface can only send out that many packets per second. Even if you can afford to have thousands of network interfaces sending out the necessary packets for an online bruteforce attack, the server your target is hosted on probably cannot handle the millions of packets bombarding it. At this point, your online bruteforce attack has turned into a denial-of-service attack.
Assuming that you are talking about a web application, it is probably easier for attackers to exploit other flaws such as SQL injections to get a database dump and perform offline attacks using clusters of dedicated hardware.