Passwords: help me understand this

http://www.ghacks.net/2011/11/27/how-long-it-would-take-to-hack-a-password/

I read that article and then had two questions and I got two replies. My problem is that I still don't understand and I don't want to ask yet again over there for fear of being exposed as being dense

In short, what I still can't get is this: Any self-respecting site would lock out a user after a limited number of failed attempts to log in. So how does this business of using brute force work?

The relevant parts of the answers that I couldn't understand are:

and

 

Use SQL injection vuln to get database using input fields. Download encrypted database. Bruteforce encrypted database locally.

Botnets don't have to worry about limited numbers of login attempts though.

Computer 1 tries 5 times. Gets locked out for a minute.
Computer 2 takes over and tries 5 more times. Gets locked out for a minute.

and so on, except this happens simultaneously from millions of computers.

not to mention captchas are dead easy to bypass

 

What does Bruteforce encrypted database locally mean? A bad guy downloads an encrypted database. What is in the database? Usernames and passwords in human-readable form? If yes, then how does having a "strong" password help?

So it is a possibility with a probability of what? And by probability I mean that of anyone, even with abc123 as password, being affected given the number of "valuable" targets in existence. I'd like to believe that criminals target and don't take potluck (to mix metaphors a bit).

I hate them.

 

There's an SQL Database on the server. You use SQLInjection and you download the database. If that database is encrypted you then have a series of Usernames (which will not be encrypted) and passwords (which will be, hopefully.)

You can then bruteforce individually. At this point you're probably bruteforcing the hash of the password and that's beyond the scope of what I know. My security class was lacking in this area... lol

That depends on if you're the unlucky one who gets picked I suppose. If this is a remote bruteforce things can take a while purely due to network restraints. If you have a massive botnet and you're the one who gets picked and the website doesn't protect against that you'd better have a long password with lots of symbols and numbers and hope that you can waste their time long enough for them to move on.

Not every botnet is going to have millions and botnets usually don't sell every single computer at once either. Easier to split up the computers and sell to multiple people. And those people won't always be trying to bruteforce passwords and of course getting an SQL injection isn't always easy on any decent website. Plus they have to choose yours out of the billion emails out there.

As do I. Bots can get around them but I'm sitting there for 5 minutes trying to figure it out! lol

 

So is it very wrong to feel that this whole password business has an element of market-driven hype about it?

 

To some extent. The thing is that there's a thin line between a really weak password and a really strong password. If my password is iuherg it's weak as hell but IuhErg198 is actually quite decent and a short bit away from being very strong. So it's best not to ride the line when it's so easy to be on either side.

 

That's correct but if one looks around, there are businesses thriving on an infinitesimally small probability.

 

Which?

 

www.roboform.com/Enterprise for example?

And http://password-management-software-review.toptenreviews.com/

 

That's not really marketing off of weak passwords. It's a convenience tool that lets you carry all of your passwords with you/ log in quickly.

I don't know of any product that charges you based on creating a strong password.

 

Okay