[thelist] Prevent dictionary attacks on passwords

Anthony Baratta anthony at baratta.com
Tue Jul 24 10:43:26 CDT 2007


I would log on failures the requesting IP and a time-stamp. If there had been X number of failures over x number of seconds I would "block that IP" for X number of minutes.

Dictionary attacks are normally fast and furious, not slow and deliberate so setting your threshold to 3 failures in 5 seconds would be a good start.

-----Original message-----
From: Bill Moseley moseley at hank.org
Date: Tue, 24 Jul 2007 08:24:38 -0700
To: thelist at lists.evolt.org
Subject: [thelist] Prevent dictionary attacks on passwords

> I have a requirement to relax password validation.  That is, instead
> of requiring mixed letters and digits or mixed case, simple allow any
> string of chars over some length.
> Login is email + password and email addresses would not be that hard
> to find (if you know the organization using the application).  So, my
> concern is dictionary attacks.
> So, one option is to try and track login failures over time and look
> for repeated failed logins.
> The API for login only returns success or failure, so don't know if a
> failed login is due to a wrong password, or due to a wrong email address.
> So, unless the login API is changed would need to track failed logins
> for logins (email addresses) that do not exist.  I generally do not
> like a setup where I have to track any amount of data that gets thrown
> at the application.  Potential DoS if not careful.
> Any suggestions how you might try and track failed logins and/or
> dictionary attacks?
> -- 
> Bill Moseley
> moseley at hank.org

More information about the thelist mailing list