Gmail account has been hacked. If so, how?


Recommended Posts

There's much more than 2^28 possible guesses for the first password, you have to look at the possible combinations for each character (Lets say a-z, A-Z, 0-9, so 62 possible values for a single character password), and the length of the password (Lets go with 10 characters), that's 62^10, or 839,299,365,868,340,224 possible combinations.

I'm talking about plain brute forcing though, where you can't be sure if there's an upper-case character, or how many there are, or what characters they are, or their positions, or the length of the password, etc.

Edit: And 2^28 isn't even 4 bytes, I'm sure there's some way to explain it, but I don't see how you can get 4 bytes of data from a 10+ character long string.

Link to comment
Share on other sites

"or what characters they are, or their positions, or the length of the password, etc."

I think you missed the point of the first image -- the software trying to break it would use those rules - Cap first, actual word with just substituted out characters, numbers for letters (common) and then end with punctuation and number, etc.

If you follow these rules then its much easier to attack, lots less combinations you have to try. You don't actually have to do a full bruteforce attack where you just walk through combinations. You make an educated guess to what it might be from a word, just run through common words and apply the rules, cap first, maybe not, make the common subs, end with !3 !2 2!, 1? etc.. how many combos of punctuation and 0-9 in 2 characters, etc..

It does make a very valid point!!

Link to comment
Share on other sites

There's much more than 2^28 possible guesses for the first password, you have to look at the possible combinations for each character (Lets say a-z, A-Z, 0-9, so 62 possible values for a single character password), and the length of the password (Lets go with 10 characters), that's 62^10, or 839,299,365,868,340,224 possible combinations.

I'm talking about plain brute forcing though, where you can't be sure if there's an upper-case character, or how many there are, or what characters they are, or their positions, or the length of the password, etc.

Edit: And 2^28 isn't even 4 bytes, I'm sure there's some way to explain it, but I don't see how you can get 4 bytes of data from a 10+ character long string.

You are thinking about this all wrong. It isn't bytes and bits as in a measure of size (like memory or HD) it is a measure of uncertainty and how strong the password is. You are right in that there are that many possible combinations.

However what this is talking about is the fact that the choice of password characters isn't random (for most people) and that decreases the uncertainty of it. See http://en.wikipedia....rated_passwords

If you were to choose entirely random characters from the set you describe then it would require. 266 (I think) guesses to brute force it. However because people don't that drastically reduces the number needed.

For example I would bet my house that the vast majority of passwords for this site have a vowel as the second character. That has saved a whole load of guesses already. Not quite as willing to bet but I would guess that the vast majority end in a number.

Not magic and I am not reading the passwords but there are patterns as it is non-random data and that changes it.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.