I discovered the article "How I would hack your weak passwords" yesterday and was not sure back then if I should comment on it or not. Today I decided that it would make sense to provide you with my point of view, so here it comes.
The author of the article details how he would try and gain access to another user's passwords and accounts. His first approach would be to use the most common used passwords by users on the net. He needs information about your personal life for some passwords but those information can be obtained pretty fast through social engineering. Trying those "top 10" passwords should provide him with access to at least some accounts statistically speaking.
The common password approach is the most direct attack one can launch on someone's online account. All you have to do is log in with the user's email address or username, and try different passwords that are commonly used or that you can associated with the particular user.
His next approach is to brute force the passwords on websites with weak security. This is more or less an automated version of the password guessing method. Instead of having to try manually by yourself, you let a program test hundreds or thousands of common passwords.
Many sites and servers offer protection against these kinds of attacks. This often includes banning IP addresses or sometimes even blocking login access to an account for a select amount of time to avoid further attacks.
But the brute force programs that he suggests are way outdated. Brutus? wwwHack? That's last millennium. Current state of the art brute force programs to crack basic authorization and form protected sites are C-Force or Sentry. The brute force approach has one disadvantage. If you do not know the username you have to try username and password combinations and there is no guarantee that you will discover the combination for the user that you want to hack.
You could get login details for other users which are absolutely worthless to you. This means, brute forcing is only an option if you know the username of the user.
There are actually two ways to brute force an account. The first would be to use generated lists of usernames and passwords or try combinations to get into an account. The second to try every char combination possible. It should be noted that the second option could very well last several years or even centuries depending on the size of the selected password.
So, brute forcing is not really an option and he is not explaining how he would get the username of the user in question except mentioning cookies. Cookies are stored on the targets machine which would mean that he needs either access to that machine or an exploit to get them while the user is online. Not very practicable.
So, what can users learn from his analysis ?
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.