Talk:Brute-force attack

Quantum computer speculation
I don't think this line should be in here "Quantum computers are needed to crack such complicated encryptions in a more practical length of time."

Quantum computing is not going to get around thermodynamic limits of 256 bit keys. More info: http://everything2.com/user/dogganos/writeups/Thermodynamics+limits+on+cryptanalysis

Certainly it is not the case that "Quantum computers are needed" - that implies that they are *currently* being considered, and that is no longer the case. — Preceding unsigned comment added by Meepdeedoo (talk • contribs) 13:56, 19 August 2011 (UTC)

Salting as mitigation for reverse brute-force
In the recent "| edit toggle" between Multichill and Guy Macon, Multichill is correct. When just a single plaintext password is tried against a corpus of unsalted hashes, if ten accounts have the same password, all ten of them are cracked with the same amount of effort. By contrast, if the hashes are salted, the calculations for that hash have to be performed for each of those ten users, even if they all have the same password. In other words, for this specific kind of attack, salting significantly increases the processing time required and is one of the primary recommended mitigations. Royce (talk) 07:28, 10 December 2018 (UTC)


 * That's not what the source says. Your logic is correct, but is it WP:OR. If you have a reliable secondary source that says what you are claiming, please re-add the claim along with the source that supports it. The existing source says:


 * "Essentially there are two types of brute force attacks, (normal) brute force and reverse brute force. A normal brute force attack uses a single username against many passwords. A reverse brute force attack uses many usernames against one password. In systems with millions of user accounts, the odds of multiple users having the same password dramatically increases. While brute force techniques are highly popular and often successful, they can take hours, weeks or years to complete."


 * It only talks about trying passwords against usernames. It says nothing about trying passwords against hashes.


 * Getting back to your WP:OR, according to my WP:OR (which is equally useless as a basis for edits to the article) an attacker who has access to the hashes has a distinct advantage if the hashes are not salted, but the best way for an attacker to exploit that advantage is not to do a reverse brute force attack. The best use of his resources is to identify a hash that has multiple high-value accounts  and do a conventional brute force attack against one of them. If he succeeds, he has the rest of them for free. By contrast, by doing a reverse brute force attack in that situation he only spends a portion of his effort on the accounts with the duplicate hashes. Salting is definitely a way of making life harder on an attacker, but you are wrong in thinking that this is somehow specific to attackers who do reverse brute force attacks. --Guy Macon (talk) 08:46, 10 December 2018 (UTC)

Mask Attack
When reading about the Hashcat system, I came upon the term "Mask Attack" which as far as I understand is a form of Brute force attack but with a limitations on the form of the forces tried. Could this be a suitable addition to this page about brute force, or is it better seen as an article of its own? Svartkaffe (talk) 07:23, 27 December 2022 (UTC)