Countering Brute Force

[Guest]

Just wondering, what some good methods are for countering "brute force" methods of attack. I know having to require users to change their passwords every so often is one way (not always successful). Just wondering what others would be good. Thanks. 

[Slottr]

Theres some little things in that video that might help you

[Guest]

3 hours ago, Slottr said:

Theres some little things in that video that might help you

I've seen it

 

That's more of the user end of things rather than the server/admin side of things 

[Tyrosen]

2 step verification. The way brute force works is that the program keeps relogging a values, until it stumbles across your password

[KuJoe]

Brute force detection is a good method. Basically after X failed attempts lockout the account for Y minutes/hours/days. This will make brute forcing a password painfully slow and expensive.

[Guest]

3 hours ago, KuJoe said:

Brute force detection is a good method. Basically after X failed attempts lockout the account for Y minutes/hours/days. This will make brute forcing a password painfully slow and expensive.

Right, but the drawback for that is that the actual user of the account is unable to login. 

[Guest]

3 hours ago, Tyrosen said:

2 step verification. The way brute force works is that the program keeps relogging a values, until it stumbles across your password

Okay

 

What I meant though is more towards just sticking with the server and client side of things and not exactly going that far beyond the scope 

[Tyrosen]

1 minute ago, KuJoe said:

Brute force detection is a good method. Basically after X failed attempts lockout the account for Y minutes/hours/days. This will make brute forcing a password painfully slow and expensive.

I've always low key wished I was a hacker who used brute force, would feel pretty satisfying getting into an account after days...  

 

 

just kidding don't want to be murked by FBI

[Guest]

I remember Linus covering something like this in an AFAP video 

The problem with the salting and other stuff is that some of these are in a dictionary so it doesn't always work well 

[Tyrosen]

3 minutes ago, IAmLamp said:

Right, but the drawback for that is that the actual user of the account is unable to login. 

Instead of having a the account be locked for Y time, why dont you just have the account locked altogether, only with an unlock by clicking on email link?

[Guest]

3 hours ago, Tyrosen said:

Instead of having a the account be locked for Y time, why dont you just have the account locked altogether, only with an unlock by clicking on email link?

Do you not see the problem with that. 

[Tyrosen]

Just now, IAmLamp said:

Do you not see the problem with that. 

Now that you mention it......

 

but if you ever used steam before, they have that guard thing that is similar to what I'm talking about. Just throwing suggestions out there

[Tyrosen]

that human verification that some sites use when guessing too many times

[Guest]

3 hours ago, Tyrosen said:

Instead of having a the account be locked for Y time, why dont you just have the account locked altogether, only with an unlock by clicking on email link?

I'm not sure how well that works, but I've seen quite a few sites use it. 

 

I wonder how they are able to make it reliable. 

[Tyrosen]

1 minute ago, IAmLamp said:

I'm not sure how well that works, but I've seen quite a few sites use it. 

 

I wonder how they are able to make it reliable. 

Its usually the big websites. The ones who have human resources such as customer support to help when there is failure

[KuJoe]

6 hours ago, IAmLamp said:

Right, but the drawback for that is that the actual user of the account is unable to login. 

True, a good solution would be blocking the IP instead of locking the account but that would just make it easier for brute force attackers. If you choose convenience over security then you'll have an insecure application. A good example of proper brute force detection is the company that handles my retirement accounts will automatically lock the account after 5 invalid attempts and requires me to call or e-mail to unlock it. It's not convenient for me but it guarantees my account will not be compromised by brute force attacks and I'd rather my money by safe than me having access to my account all the time.

 

EDIT: A middle ground solution would be adding a CAPTCHA-type challenge after X number of failed login attempts, but these can be scripted these days also.