Cybersecurity

5404 readers

97 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

RockYou2024: 10 billion passwords leaked in the largest compilation of all time (cybernews.com)

submitted 2 months ago by kid@sh.itjust.works to c/cybersecurity@sh.itjust.works

28 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] hoshikarakitaridia@lemmy.world 11 points 2 months ago* (last edited 2 months ago) (8 children)

I would assume that because the original rockyou list was always just used for dictionary brute force attacks, so no associated usernames.

[–] Voroxpete@sh.itjust.works 11 points 2 months ago (7 children)

Correct. This is a brute force dictionary. It's a very powerful tool, but it's applications are severely limited. Any well designed system has protection from brute force attacks. It's mostly useful for stuff like cracking encrypted databases, which would be a situation where the target is entirely under your control. You can't just break into someone's Gmail with it.

[–] gnutard@sh.itjust.works 2 points 2 months ago* (last edited 2 months ago) (6 children)

How would you even crack an encrypted database? I guess the hacker somehow stole it from the server and has it in their dump of other databases they're trying to crack? I don't do hacking, I'm just curious with how it works.

[–] Zomg@lemmy.world 1 points 2 months ago* (last edited 2 months ago)

The databases aren't encrypted exactly...

The DB don't even store passwords, but a hash of a user's password. When someone logs in, their password is hashed and compared to what's stored in the DB. If they match, entry is granted.

Passwords stored as one-way hashes are cracked by generating passwords and running them against the same hash algorithm, like sha256, sha-1 or md5 if you're especially shitty at protecting information. Same hash = same password in most cases. The cracking is done using GPUs because they accelerate at those types of functions. This doesn't even consider salted hashes which make the process more difficult for an attacker.

You do this locally so that you don't lock a username out or trip alerts or become noticed by someone until you're ready to gain access.

load more comments (5 replies)