[thelist] Prevent dictionary attacks on passwords

Anthony Baratta anthony at baratta.com
Tue Jul 24 11:34:00 CDT 2007 

I would store this info in a DB Table. And run a nightly or hourly query to clean out data, depending on load.

I would suggest you also track bad account names. This will help you identify dictionary attacks and other nefarious deeds being attempted mas they happen. Don't just focus on the good accounts.

I'd also lock by requesting IP - granted that will close out legitimate people behind large proxies like AOL, but if you have have a reasonable unlock time-period and an admin screen to clear a lock manually - then you should be fine.

-----Original message-----
From: Bill Moseley moseley at hank.org
Date: Tue, 24 Jul 2007 09:04:15 -0700
To: "thelist at lists.evolt.org" thelist at lists.evolt.org
Subject: Re: [thelist] Prevent dictionary attacks on passwords

> On Tue, Jul 24, 2007 at 08:43:26AM -0700, Anthony Baratta wrote:
> > 
> > I would log on failures the requesting IP and a time-stamp. If there
> > had been X number of failures over x number of seconds I would
> > "block that IP" for X number of minutes.
> 
> Where would you store and access that information?  I was thinking of
> Memcached, but that opens up a way for an attacker to fill my cache.
> 
> I might need to alter the login API so that I can tell if the failure
> was due to a bad email address or just the wrong password for a vaild
> email.  That way I'm not tracking accounts that do not exist.
> 
> > Dictionary attacks are normally fast and furious, not slow and
> > deliberate so setting your threshold to 3 failures in 5 seconds
> > would be a good start.
> 
> Yes, that makes it easier.  I can just increment a counter for an
> address if its timestamp was within the last few seconds, otherwise
> set it to one if longer than five seconds.  And if the count gets
> large then lock the account.
> 
> 
> -- 
> Bill Moseley
> moseley at hank.org
> 
> -- 
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester 
> and archives of thelist go to: http://lists.evolt.org 
> Workers of the Web, evolt ! 
>

More information about the thelist mailing list