To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.peopleOpen lugnet.people in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 People / 1080
1079  |  1081
Subject: 
 Re: LUGNET Memberships
Newsgroups: 
 lugnet.people, lugnet.admin.general
Date: 
 Mon, 25 Sep 2000 19:20:41 GMT
Viewed: 
 6002 times
  
In lugnet.people, Kevin Loch writes:
In lugnet.people, Todd Lehman writes:
Disable accounts on repeated fails and you make it trivial to DoS someone.
Disable IP addresses and you lock out the innocent on shared proxy servers.

Not if you only disable loggin in as that user from that ip.

Is there a way to tell if a given IP address is a shared proxy server or not?
If you disable login access as one user from a given IP address, then you
effectively disable login access as _all_ users from that IP address, because
it would be just as trivial to DoS everyone in succession as it would be to
DoS a single person.  In other words, disabling logging in as a user from a
given IP address still locks out the innocent on attacks coming through shared
proxy servers.


I think a minimum of 6 characters is a good limit.  It's the character
diversity that is causeing problems.

Crack programs use dictionaries.


Also, you could make failed attempts
take a few extra seconds to further delay brute force attacks.

I'm kinda wary of that because it is so trivial for a potential attacker to
fork multiple copies of itself and work right arond the delay as if it wasn't
even there.  If you delay 3 seconds, then a cracker program just forks extra
copies of itself and works in parallel.  So sleep-delays over HTTP don't count
for much.  On the other hand, a server could probably get around that by
making a password mutex for each IP address, whereupon failure the process who
owns the mutex would delay some number of seconds before releasing the mutex
to the next process.  That way, no HTTP process checking a pw could step
around any other.


You cold even make successful logins take a few extra seconds just for good
measure.

Cookie == micro-login.  Successful logins have to be as fast as possible.


BTW, no password is required to post right?

Right.

--Todd



Message has 1 Reply:
  Re: LUGNET Memberships
 
(...) Um, yes I know that. It's also possible to generate "human random" dictionaries that speed up brute force of "strong" passwords where users are forced within certain limits. BTW, I wonder what the keyspace is of all (8 chars and less as (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)

Message is in Reply To:
  Re: LUGNET Memberships
 
(...) Not if you only disable loggin in as that user from that ip. (...) I think a minimum of 6 characters is a good limit. It's the character diversity that is causeing problems. Also, you could make failed attempts take a few extra seconds to (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)

113 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact

This Message and its Replies on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    
Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR