On Sun, May 03, 2009 at 10:41:33PM +0100, Ted Harding wrote:
PW: The first thing I'll do is an easy check to see whether I can get a nice little automated tool to cough up your password straight away so I can log on as you.
Well, my jaw would drop if I believed it! Even if the password is case-insensitive, that's 36 letters+numbers to try every "permutation" of. There are 36^14 different 14-character strings where each character can independently be any letter or number. And that's just the full 14-character string -- there's also all the shorter strings as well.
My first instinct would be to suggest that they weren't brute force guessing the password. I'm guessing that they were recovering the encrypted password file from disk and breaking/reversing the format it was stored with using something like L0phtcrack and rainbow tables which make it much much easier to recover passwords quickly.
In short, this kind of attack is very feasible and I have done similar in the past. Nearly 10 years ago I grabbed a set of users passwords from a windows domain and ran an automated scanning tool against about 80 users passwords, took me about 20 hours to get 95% of them and keep in mind the machine I was using to do this was about Pentium III vintage with 512MB ram.
Without a proper explanation of what they were trying to break and how then it would be hard to say if it was genuine or not, but it is entirely feasible.
Thanks Adam