Subject:
|
Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Sun, 23 Apr 2000 20:02:58 GMT
|
Viewed:
|
3596 times
|
| |
|
|
In lugnet.admin.general, Richard Franks writes:
> Maybe I'm just miffed because it failed *all* of the passwords I use? :)
Are there any that it gave between 0% and 100% to? (i.e., not < 0% ?)
> [...]
> Just out of curiousity - would LUGNET allow brute-force or trial and error
> attacks? Something like sending an email warning after 3 fails, then locking
> the account for 24 hours after 5 fails would somewhat negate the danger of
> those types of attacks?
Eeek -- no! -- locking people out on a failed login attempt would certainly
negate the danger of a brute-force of attack, but it would make an entirely
new type of attack (an even worse one!) possible. Consider:
$url = <URL of member sign-in page>
foreach $m (1..1000) # Loop over all members
{
foreach (1..5) # Attack each member 5 times
{
$pw = <generate random nonsense>
<HTTP POST to $url with $m and $pw>
}
}
--Todd
|
|
Message is in Reply To:
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
