Question on Password Length (CSP Unit 4 Lesson 8)

Hi @wbarnum,

When you say web site logins are set up not to allow brute force attacks, I suppose you mean how they for example allow 3 attempts, then ban attempts for x amount of time (like many phone logins)?

I’m by no means a security expert, nor have I formally studied this in any way… that being said :grin:

As far as I know, you’re correct in that the method I mentioned prevents most sites from being attacked via brute force.

I think there’s still a concern if an attacker somehow can make their way around the “front door” - the website login page - and somehow access the password database directly, as is often the case when you hear of a company getting hacked.

To my knowledge, these password databases are hashed - basically encrypted - not stored in plaintext for security purposes (otherwise company employees can also see users’ passwords). However, if an attacker has direct access to that database, they can perform a direct brute force attack on that. Basically, if they know the hash/encryption method, they can guess a password and see if the hashed/encrypted form matches what’s stored in the database.

To learn more about how passwords are stored in a database, including how hashing works, here’s a 10 minute video I found helpful: https://www.youtube.com/watch?v=8ZtInClXe1Q

But definitely, if anyone else has “actual” knowledge to help answer this question, I’d love to hear. :slight_smile:

Frank

2 Likes