>
> Cracking ONE of my company's servers and gaining ONE of my
> passwords to that ONE site doesn't endanger my many other
> sites since the hackers don't know what they are.
Many many ways to track peoples identity online if you know where to
look. Most people even those using different passwords for everything
will still use the same username or variation of as well as the same
sign up email. Looking through the right database leaks/compilations of
those you can query the right info and find a surprising web of the
persons life online, everything they use, all the services, forums, etc.
Compromising ONE service is often all it takes to cascade and then
compromise many others.
On 5/10/19 11:57 PM, 123456789 wrote:
> That would apply to all passwords, not just my formula
> generated ones.
>
>
>> My formula generated passwords are 13 characters long. And
>> my passwords are more random than many since other people
>> often use their kids names, regular words and phrases,
>> birthdays, etc. as passwords.
Not all, as you noted most peoples passwords which are completely shit
will be brute forced in half a second. No really, anything resembling
what the average person uses gets brute forced in seconds. I'd bet that
50% of passwords get brute forced that quick. The harder ones well they
just leave their machine running for a few weeks to brute force the rest
and they'll pretty much have everyone except the 1%'ers who use
completely random passwords from password managers.
>
> Brute force wouldn't work on most of my sensitive sites.
> They lock you out after a small predetermined number of
> failed password tries.
That's not how most compromises work. If you read my post you'll notice
I specifically said offline attacks. They don't sit there and attempt
logins through the same web portal genuine customers use. They straight
up hack the company, steal all the encrypted personal files/account
info/user credentials, etc and then run offline attacks where they have
unlimited tries. Your info then gets compiled into large chucks sold to
other people for money or it gets curated into "fullz" which really go
for money and allow people to take over your life. These breaches happen
every day against major companies and you don't hear about it on the news.
>
>> 2FA *might* help you against mass attacks, but a
>> specific targeted attack will take you out
>
> As I said before, if I'm being personally targeted then I have
> much bigger problems than just a password compromise...
You don't understand how that works either. They don't need to
specifically target you, they just need to employ another tool thats
rather easy to use. You're overlooking the tools used by crackers to
give yourself a false sense of security thinking that if they're going
that far they must really be out to get you to the point of them
following you around in real life.
Say I crack your Amazon account password, it says it needs a 2FA code
from your mobile, we'll a lot of times I don't even need to look for
your mobile number because it says it in some prompt that it will send a
code to your number and then lists the number. To get around that all I
need to do is pay/message the right guys on .onion sites that do sim
swapping to have your number ported over to whatever sim I have control
of and receive your 2FA code. There's other methods as well but that's
the well known every level one for new guys in the sim boosting game.
You don't need to be the target of some shadowy organization for 2FA to
fail. 2FA through SMS straight up sucks as a security measure, SMS was
never meant to be secure and mobile numbers were never supposed to be
some kind of global identifier security system.
If anything, compared to a guy that just uses password managers vs the
average normal dude with "normal" passwords and 2FA, it makes it easier
to steal your identity.
Your security model is at best the dreaded "security through obscurity".
You might be spared only because hackers employing the tools I suggested
pwn 80% of the breached database and from that they make enough money
that they call it a day and decide not to brute force the remaining
slightly harder passwords in the last 20%.