Brute force attack backup codes and password

My wife’s password was judged as “strong” when she first chose it for use with Gmail. But it was a combination of two short English words followed by numbers, so if it didn’t leak from some other site, it might just have been guessed in a brute-force attack. For reasons too complex to explain here, even some systems, like Gmail’s, that don’t allow intruders to make millions of random guesses at a password can still be vulnerable to brute-force attacks.

You are reading: Brute force attack backup codes and password

What vulnerability is the author referring to?

passwords brute-force gmail
Improve this question
edited Jun 12 “15 at 13:19
Mr. Bultitude
asked Jun 12 “15 at 4:02


Mr. BultitudeMr. Bultitude
34911 gold badge33 silver badges1010 bronze badges
Add a comment |

3 Answers 3

Active Oldest Votes
For starters, that article misuses terminology.

Whatever vulnerability they may be referring to it seems pretty blatant that it is not “brute force” as that would contradict the premise of that very sentence. As another answer suggested it”s possible that some form of social engineering was employed, but in this case any rounds of “guessing” left would not be brute force at all but would be cleverly leveraging known data points.

Additionally, it misidentifies the most likely failure.

Read more: 5 Hacks To Find Out If Someone Has A Tinder Profile Without, Find Out With Or Without An Account

See Also:  How to Set Up Google Alerts in 2 Minutes or Less?

Altogether more likely in the case described in the article is a compromised database on another site. The article specifically allows for this when it says “if it didn’t leak from some other site”, implying that his wife does not use unique passwords per site. If you don”t use unique passwords1 then all bets are off2 and you cannot blame Google if your Gmail account is compromised3 that all your stuff is only as safe as the weakest site you use—a least-common-denominator approach that is bound to get you int trouble as for any given set of sites it is almost guaranteed that one of them has mishandled user data!

1. You should. Full stop.

2. In addition to (but not in place of) using unique passwords, enabling two-factor authentication would also mitigate against this attack vector.

Read more: How To Log Into Your Gmail Account On A Mobile Device, How To Login To Gmail With New Account

3. Note again the terminology issue here. A compromised account (as in my usage) is different than a hacked account (as in the article”s usage). In the most likely scenario the Gmail account was not hacked—no measure at Google failed—the attacker was merely able to login with the password they hacked from somewhere else.

Categories: Mail

Leave a Reply

Your email address will not be published. Required fields are marked *