LeRoy Nellis

Contact

The Password Problem No One Is Answering

Why “They Just Hacked It” Is Not a Serious Explanation

Consider the following password:

Uk$&5SlV[sSkGlAqP@.%ysP&!5M)vv6iD!D^~j5,0.nAN^#[JbxX9t?DHhVa15U_i6lBdsPJXjMAe8k28Znbr3ygwB_9Rap0[e

That is a 100-character password, composed of uppercase letters, lowercase letters, numbers, and special symbols—drawn from the full printable ASCII character set.

This password is not used alone.

It is paired with Google Authenticator, Google’s official time-based one-time password (TOTP) system, delivered through their mobile app. The authentication code rotates every 30 seconds and is derived from a secret key stored on a physical device.

That matters. A lot.

Because once you understand what this setup represents, certain claims stop making sense.

What This Security Setup Actually Is

This is not “a strong password.”

This is two independent security systems operating together:

  1. Something you know
    A 100-character, high-entropy password
  2. Something you have
    A rotating TOTP code generated by Google Authenticator, bound to a physical device

This is standard multi-factor authentication (MFA)—the same model recommended by Google, banks, cybersecurity professionals, and federal agencies.

So when someone implies that an account protected this way is being “hacked” or compromised on a recurring cycle, approximately every seven days, that claim is no longer merely unlikely.

It is extraordinary.

Extraordinary claims require evidence—not hand-waving.

The Math Behind the Password (No Speculation Required)

Let’s ignore MFA for a moment and look at the password alone.

A random 100-character password drawn from printable ASCII (approximately 94 possible characters per position) creates a total keyspace of:

94¹⁰⁰ ≈ 2 × 10¹⁹⁷ possible combinations

On average, an attacker would need to test half of those combinations to succeed.

Even under absurdly optimistic assumptions—perfect parallelization, no rate limits, no lockouts, no errors, and extremely fast guessing—the result is not close to practical.

At one trillion guesses per second (10¹²):

  • Expected cracking time: ~10¹⁷⁷ years

For perspective:

  • The universe is about 10¹⁰ years old
  • This password would outlast stars, galaxies, and matter itself

Doubling processors halves the time.
Adding a thousand processors barely touches the exponent.

This is not a compute problem.
It is a physics problem.

Now Add Google Authenticator

With Google Authenticator enabled, a successful login requires:

  • The correct password and
  • A valid 6-digit TOTP code
  • Generated within a 30-second window
  • Derived from a secret seed never transmitted after enrollment

Even if someone magically defeated the password (they didn’t), they would still need:

  • The TOTP seed, or
  • Real-time access to the authenticated device, or
  • Control of the authentication backend itself

This is not theory.
This is how modern authentication systems are designed.

So Let’s Ask the Only Rational Question

If an account protected by:

  • A 100-character high-entropy password and
  • Google Authenticator MFA

is allegedly being compromised on a routine seven-day cycle, then what is actually happening?

Because the answer is not:

  • “They cracked the password”
  • “They guessed the code”
  • “They brute-forced it”

Those explanations collapse under even basic scrutiny.

What This Leaves on the Table

Once fantasy explanations are removed, only a narrow set of possibilities remains:

  1. The account is not being accessed at all
  2. The platform itself is being modified
  3. Administrative or vendor-level access exists
  4. Authentication is being bypassed
  5. Session tokens are being intercepted
  6. Content is being altered upstream
  7. Insider or contractor access is involved

Notice what is not on the list:

  • Password cracking
  • MFA guessing
  • “Regular hacking”

Those are Hollywood stories, not real-world security failures.

Why This Matters: My Blog Is Being Changed

This is not a hypothetical exercise.

I am alleging that content on my blog is being altered or interfered with despite protections that include:

  • An extreme-entropy password
  • Google Authenticator MFA
  • Device-bound authentication

That allegation exists because the standard explanations do not fit.

When content changes under these conditions, the issue is no longer user security.

It is system-level access.

Why “They Just Hacked It” Is Not a Serious Answer

Saying “they hacked it” in this context is equivalent to saying:

“They broke modern cryptography for fun every weekend.”

If that were true:

  • Google would be compromised
  • Banks would be compromised
  • Governments would be compromised
  • The internet would be on fire

Instead, what usually happens in cases like this is simpler—and more uncomfortable:

  • Excessive access
  • Poor oversight
  • Trusted vendors
  • Quiet privileges
  • No transparency

The Question Williamson County (or Its Contractors) Should Answer

If a county government or a contracting company implies the ability to defeat protections of this magnitude on a routine schedule, the public deserves one clear answer:

What access do you have that bypasses authentication entirely?

Because without:

  • Platform-level permissions
  • Vendor-level control
  • Or insider-grade access

This cannot be done.

Not weekly.
Not monthly.
Not ever.

Call to Action: Independent Review, Not Silence

This issue is no longer personal.
It is technical, institutional, and a matter of public interest.

To the White-Hat Security Community

If you are a:

  • Defensive security researcher
  • Cryptography professional
  • MFA or identity-access specialist
  • Platform security engineer

Review this claim on its merits.

If you believe an MFA-protected account of this class can be routinely compromised without platform-level access, explain how—publicly, with evidence.

If you believe it cannot, say that plainly.

Silence helps abuse, not science.

To the Department of Justice

Allegations involving:

  • Possible misuse of government authority
  • Contractor overreach
  • Unauthorized system access
  • Interference with protected speech

fall squarely within federal oversight.

If content protected by modern authentication is being altered without authorization, that warrants independent review, not dismissal.

To the FBI (Cyber Division)

Claims involving:

  • Authentication bypass
  • Insider or contractor access
  • Platform-level compromise

are not local matters.

If a government entity or its vendors possess—or claim to possess—the ability to bypass MFA protections, that is a federal cybersecurity concern.

This calls for:

  • Technical examination
  • Preservation of logs
  • Clarification of access boundaries
  • Transparency regarding any claimed authority

Final Word

This is not about one password.
It is not about one app.

It is about credibility, access, and accountability.

Modern cryptography does not fail quietly.
MFA systems do not fall over weekly.
High-entropy passwords are not guessed for sport.

When outcomes contradict math, the explanation is not “hacking.”

It is who has the keys.

And keys always come with responsibility, logs, and accountability—whether anyone planned on answering for them or not.

Comments

Leave a comment