Github faced a brute force password-guessing attack recently that involved "nearly 40K unique IP addresses".
Passwords were also "stored properly" using bcrypt, (salt + hashed).
Given that bcrypt generates a random salt per password and that the Github database wasn't compromised, how was a "remote" brute force attack possible and how long* was that process?
"These addresses were used to slowly brute force weak passwords or passwords used on multiple sites."
Given that bcrypt generates a random salt per password and that the Github database wasn't compromised, how was a "remote" brute force attack possible and how long* was that process?
Two different attacks are being confused here. Brute forcing password hashes means the attacker has got ahold of the database table containing the password hashes and if they are properly salted and hashed, then it is very time-consuming to brute force.
In this case, github was attacked by guessing passwords at the login page so it doesn't matter how the passwords are salted or hashed or anything. It just matters if the user in question used an easy password. Github says "we aggressively rate-limit login attempts" which means it locks an account out after x tries for a certain amount of time. The attacker had resources (40,000 unique IPs to guess from) many accounts to choose from, and a long period of time so they could lazily keep guessing and waiting for the lockout to expire. Even with all those resources, their bot can't guess fast enough to break into accounts with anything but dead simple passwords.
It is really great that github posts a security history at https://github.com/settings/security for your account to see account activity (failed logins, logins, etc.)
If you are bruteforcing based on characters, then you would have about 219 trillion needed guesses if just using letters and numbers for passwords of 8 characters of length. That's a lot.
With weak passwords people are often refering to commonly used passwords like "azerty123","a1234567", ... or words in a dictionary. If you are using a dictionary you can reduce the amount of possible passwords to maybe 1 million, which means all you need is 1 million guesses.
The biggest issue is that people tend to reuse passwords across websites, so when Adobe got hacked their database was leaked. Due to their bad way of encrypting (not hashing) of passwords, attackers could generate a list of commonly used passwords. They could for instance then have used the associated email address to try and log into Github using the same password (because as said, people often use the same password everywhere).
