brute forcing passwords, aren't there limits to requests? [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 9 years ago.

Improve this question

Reading articles like this one makes me wonder, is this a real world problem?

Say that someone (or something) wanted to crack my FTP login. The cracking software can deliver so and so many million guesses per second, but the server that is under attack can't possibly serve up that many "incorrect password" replies. In what kind of scenario do I need to worry about brute forcing?

Answer 1

If your database of password hashes is compromised, and they can try to crack it on their local machine

Answer 2

The point of these devices is to brute-force a password hash (from a leaked database).
No server is involved.

If they were trying to crack your FTP login, they wouldn't need lots of GPUs; they would simply need lots of network bandwidth.

Answer 3

The article says this, "Tools like Gosney’s GPU cluster aren’t suited for an “online” attack scenario against a live system. Rather, they’re used in “offline” attacks against collections of leaked or stolen passwords that were stored in encrypted form, Thorsheim said."

Answer 4

The article you linked already gives the answer to your question:

Tools like Gosney’s GPU cluster aren’t suited for an “online” attack scenario against a live system. Rather, they’re used in “offline” attacks against collections of leaked or stolen passwords that were stored in encrypted form, Thorsheim said. In that situation, attackers aren’t limited to a set number of password attempts – hardware and software limitations are all that matter.