Hacker News new | ask | show | jobs
by smkdtr 4238 days ago
Along similar lines, I wonder if this fuzzer can be used to bruteforce passwords for applications. Would it do any better than standard "try all the combinations" method?
2 comments
owenmarshall 4238 days ago
If the password is generated with a sane KDF - bcrypt/scrypt/pbdkf2, no.

If it's not, better attacks exist than trying every single password.

If you're trying to crack the application - not the password - maybe, but I kinda doubt it.

link
tptacek 4238 days ago
Not really, because it depends on collecting traces from the target, and if you can do that you can usually just read the password out of memory.
link
bri3d 4238 days ago
On the flip side, it could probably be used as a really slow universal keygen for naive license-key implementations :)
link