11 replies
  • OFF TOPIC
  • |
My understanding is that a brute-force password attack (using software to guess a password) is commonly used to access a system.

And that a time delay feature can help prevent this - for example a short wait after 'n' attempts.

A delay of just one second would mean a million attempts would take over 11 days.

If this is the case and if this is presumably simple to implement why don't all systems use this feature and put an end to this type of hacking ?
  • Profile picture of the author seasoned
    Originally Posted by Harvey Segal View Post

    My understanding is that a brute-force password attack (using software to guess a password) is commonly used to access a system.

    And that a time delay feature can help prevent this - for example a short wait after 'n' attempts.

    A delay of just one second would mean a million attempts would take over 11 days.

    If this is the case and if this is presumably simple to implement why don't all systems use this feature and put an end to this type of hacking ?
    WOW! You really think NOBODY thought of that? OK, let's talk about a SIMPLE "secure" password! I mean it only meets THREE of the perhaps 5 criteria generally used for the average"secure" password. That is over 1.8BILLION combinations! OK, your "understanding" has just been proven FALSE! Computers take a while to accept or reject passwords, and USUALLY a rejection takes at least s long. A one second reaction time over all isn't that unlikely, so you are saying a brute force attempt requires about 58 years! So CLEARLY, that isn't what is happening!

    There are SOCIAL attacks, which your method WON'T help! There are password lists, which your method WON'T help! There are dictionary methods, that are mostly ones that are NOT considered secure at all. OK, MAYBE your idea MIGHT help that a little. That is only 309,000 combinations, or less than 10 years!

    OK, let's take the latest secure account I am using. To guess the password might have taken only 58 years, but it is all or nothing! Guessing a random password, that has only a million possibilities.(That is only about 11 days to guess if done alone). OH, and then there is another value, that will take 58 years to guess. OH, and about the 11 days? they give you one minute to guess it.

    OK, lets see.... 58y*58y*11 OK, that is a LOOOOOOOONG time, IF it were static, but it isn't. It also restricts access, and keyloggers would be nearly useless.

    But THAT has only been around for about 20 years or so! Let's talk about ANOTHER common technique that is over 40 years old. It dates back to instinct, so it is likely thousands of years old. They simply only give you a few trys!

    Steve
    {{ DiscussionBoard.errors[10407472].message }}
    • Profile picture of the author Harvey Segal
      Originally Posted by seasoned View Post

      WOW! You really think NOBODY thought of that?
      Of course I am aware that it's been thought of.
      I am simply asking the question why (as a layman).

      Originally Posted by seasoned View Post

      Computers take a while to accept or reject passwords
      I can understand that it takes a while from the beginning and end of a manual entry but I assumed that a validation of an automated entry would take 'nanoseconds'. Is that not the case ?
      {{ DiscussionBoard.errors[10407488].message }}
      • Profile picture of the author SteveJohnson
        Originally Posted by Harvey Segal View Post

        Of course I am aware that it's been thought of.
        I am simply asking the question why (as a layman).


        I can understand that it takes a while from the beginning and end of a manual entry but I assumed that a validation of an automated entry would take 'nanoseconds'. Is that not the case ?
        Part of the problem with relying on 'denial after xx tries' is that the bad guys take steps to be unidentifiable. Denial restrictions rely on IP addresses or cookies and if the bad guys are using a bot network with thousands of IP addresses, the denial is ineffective.
        Signature

        The 2nd Amendment, 1789 - The Original Homeland Security.

        Gun control means never having to say, "I missed you."

        {{ DiscussionBoard.errors[10407644].message }}
        • Profile picture of the author seasoned
          Originally Posted by SteveJohnson View Post

          Part of the problem with relying on 'denial after xx tries' is that the bad guys take steps to be unidentifiable. Denial restrictions rely on IP addresses or cookies and if the bad guys are using a bot network with thousands of IP addresses, the denial is ineffective.
          ******BULL******!

          The DENIAL of service is UNIVERSE WIDE! If you somehow connected on a spaceship on the other side of PLUTO, you would STILL be locked out, because it is based on the USER and NOT the IP!

          OH, you COULD try another USER, but then you are starting over because their password is likely different.

          Steve
          {{ DiscussionBoard.errors[10407978].message }}
          • Profile picture of the author SteveJohnson
            Originally Posted by seasoned View Post

            ******BULL******!

            The DENIAL of service is UNIVERSE WIDE! If you somehow connected on a spaceship on the other side of PLUTO, you would STILL be locked out, because it is based on the USER and NOT the IP!

            OH, you COULD try another USER, but then you are starting over because their password is likely different.

            Steve
            Take a breath, sunshine. I do have some experience with this.

            You can't block by username, because the legit user needs access. You can't block solely by IP because users log in from different locations.

            Seeing 1000+ IPs hit the same login address with the same username in 5 minutes isn't uncommon.

            We use a heuristic method to semi-reliably determine if the failed login attempt is from the legit user based on past logins and other criteria (such as time between attempts) and deny access to any traffic that doesn't fit the pattern.

            We also may temporarily shut down login access to sites that are getting hit like that, until the threat subsides.

            No system is 100% secure, there are always ways in. You're just trying to play whack-a-mole.
            Signature

            The 2nd Amendment, 1789 - The Original Homeland Security.

            Gun control means never having to say, "I missed you."

            {{ DiscussionBoard.errors[10410003].message }}
            • Profile picture of the author MikeTucker
              Originally Posted by SteveJohnson View Post

              I do have some experience with this.

              No system is 100% secure, there are always ways in. You're just trying to play whack-a-mole.
              I do not have experience with fixing these issues myself.

              But to follow your analogy-- because it makes me LOL-- we could "harden the targets"
              of the areas where these pests are harder to whack, right? So that most hackers are
              more likely to attack through these "vulnerable" areas that are easier for us to "whack!"?

              Or do most hackers see through this kind of set-up?
              Signature

              The bartender says: "We don't serve faster-than-light particles here."

              ...A tachyon enters a bar.

              {{ DiscussionBoard.errors[10410686].message }}
            • Profile picture of the author seasoned
              Originally Posted by SteveJohnson View Post

              Take a breath, sunshine. I do have some experience with this.
              FUNNY, I do!

              Originally Posted by SteveJohnson View Post

              You can't block by username, because the legit user needs access.
              That is one of the reasons you MUST! The legitimate user gets logged out and is FORCED to contact you to be verified!

              Originally Posted by SteveJohnson View Post

              You can't block solely by IP because users log in from different locations.
              The idea of IPs showing ANYTHING overall is a moronic MYTH that I never believed or endorsed! ALL they show is limited routing, and THAT is only for a PERIOD.

              Originally Posted by SteveJohnson View Post

              Seeing 1000+ IPs hit the same login address with the same username in 5 minutes isn't uncommon.
              THEN, you have a PROBLEM!

              Originally Posted by SteveJohnson View Post

              No system is 100% secure, there are always ways in. You're just trying to play whack-a-mole.
              You're right there, but you can make them virtually crack proof from a brute force attack, at least while using logins.

              Steve
              {{ DiscussionBoard.errors[10410797].message }}
      • Profile picture of the author seasoned
        Originally Posted by Harvey Segal View Post

        Of course I am aware that it's been thought of.
        I am simply asking the question why (as a layman).


        I can understand that it takes a while from the beginning and end of a manual entry but I assumed that a validation of an automated entry would take 'nanoseconds'. Is that not the case ?
        NANOseconds? The speed of computers is VERY overblown! The MARKETING garbage HIDES the speed of memory, but if they were telling the truth, that would mean that the WHOLE WORLD kept an INCREDIBLY simple secret for DECADES! So WHY did they suddenly "reveal" it? AND, here are some terms that are now very popular that MUST be RIDICULOUSLY obsolete and unneeded, if they wree telling the truth:

        L1 CACHE
        L2 CACHE
        CACHE
        WAIT STATES
        FSB
        CLOCK MULTIPLIERS
        ETC....

        So WHY are those words used everywhere? They are LYING about memory speed!

        THIS article explains more: CPU Cache, Clock Speed, And Bus Explained - ComputerShopper.com

        OK, so computers are FAAAAAAAR slower than they claim. SO, BYE BYE nano second response! The fact is that even the LOWEST level of the FASTEST memory you will see is less than HALF that speed, and that is at the LOWEST level of the CORE, and VERY small memory. The regular memory is a SMALL fraction of that speed!

        But HOW do you STORE the data? Even the fabled 6GB/sec is BURST! It can take nearly 10ms to go to a needed track.

        ALSO, HOW can you validate something in a nanosecond when you don't have reliable communications over 4Tbps? You see, if you could somehow create and send the packet at 100% efficiency, you would need about 4Tbps to do it in 1ns. Considering that I believe 10Gbps is the new gold level, and most systems are 100Mbps or slower, good luck!

        Besides, do you have ANY idea of the processing involved to create the packet, send the packet, deconstruct it, send it over the internal network, find the info on the disk, compare, and send the result back? OH, it appears fast, but there is a LOT to it. Even if computers could pass the ID at 1 ns all the way through, it would take far longer to process. NO WONDER why even AMAZON, which now actually runs datacenters for large companies, has problems.

        Steve
        {{ DiscussionBoard.errors[10407974].message }}
  • Profile picture of the author agc
    If you are relying on IP address to count failed logins, you have failed before you start. And the delay shouldn't be fixed, it should be incremental.

    So, the metric should be "total of failures across all sources" with a delay of say "cumulative failures / 10" seconds.

    But none of that is realy relevant... because if you simply lock the account after say 1000 failures, then no brute force attack will ever be successful.

    Where the brute force attacks usually succeed is AFTER some compromise. Most sites don't store passwords, but they do store a "hash code" that the password can be validated against. If the hashcodes are stolen, they can brute force a password that will match the hash.

    Actually, most sites probably do store passwords, but most OS and network authentication systems don't.
    {{ DiscussionBoard.errors[10407688].message }}
  • Profile picture of the author seasoned
    BRUTE FORCE, and dictionary attacks are not reliable enough to be useful. THAT is why people have social methods, research, keyloggers, triojans viruses, etc...

    HEY, ever see wargames? How the protagonist got in was the most realistic part of the movie! He used social, research, and password lists. OH you say, what about when he had his computer do all that stuff when he was in school? WATCH CLOSELY! THAT was realistic ALSO! A LOT of people had that kind of software in the late 70s, early 80s. ALL it did was call up computers, log a response and metadata for those systems that answered. He even explains all that to his friend, and you can see the info on the computers screen. Much of the rest of the movie was just fantasy, but all of the stuff of how he found the computers, and logged in, was right on.

    Steve
    {{ DiscussionBoard.errors[10407998].message }}
  • Profile picture of the author agc
    The honey pot almost always works. Every single person on the planet has the tendency to think this way: "OMG, I can't believe they didn't even fix ABC. What morons. OK, we're in, lets get to work."

    Very very very few are able to rise above that tendency and smell a rat. Very few.

    And most of them will hit a second level honey pot and think "yeah, I guess they really are that stupid after all."
    {{ DiscussionBoard.errors[10410741].message }}

Trending Topics