[thelist] Prevent dictionary attacks on passwords
Anthony Baratta
anthony at baratta.com
Tue Jul 24 10:43:26 CDT 2007
Bill...
I would log on failures the requesting IP and a time-stamp. If there had been X number of failures over x number of seconds I would "block that IP" for X number of minutes.
Dictionary attacks are normally fast and furious, not slow and deliberate so setting your threshold to 3 failures in 5 seconds would be a good start.
-----Original message-----
From: Bill Moseley moseley at hank.org
Date: Tue, 24 Jul 2007 08:24:38 -0700
To: thelist at lists.evolt.org
Subject: [thelist] Prevent dictionary attacks on passwords
> I have a requirement to relax password validation. That is, instead
> of requiring mixed letters and digits or mixed case, simple allow any
> string of chars over some length.
>
> Login is email + password and email addresses would not be that hard
> to find (if you know the organization using the application). So, my
> concern is dictionary attacks.
>
> So, one option is to try and track login failures over time and look
> for repeated failed logins.
>
> The API for login only returns success or failure, so don't know if a
> failed login is due to a wrong password, or due to a wrong email address.
> So, unless the login API is changed would need to track failed logins
> for logins (email addresses) that do not exist. I generally do not
> like a setup where I have to track any amount of data that gets thrown
> at the application. Potential DoS if not careful.
>
> Any suggestions how you might try and track failed logins and/or
> dictionary attacks?
>
> --
> Bill Moseley
> moseley at hank.org
More information about the thelist
mailing list