To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.peopleOpen lugnet.people in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 People / 1082
1081  |  1083
Subject: 
 Password checks (was: Re: LUGNET Memberships)
Newsgroups: 
 lugnet.people, lugnet.admin.general
Date: 
 Mon, 25 Sep 2000 23:17:45 GMT
Viewed: 
 6811 times
  
In lugnet.people, Kevin Loch writes:
Um, yes I know that. It's also possible to generate "human random"
dictionaries that speed up brute force of "strong" passwords where
users are forced within certain limits.  BTW, I wonder what the keyspace
is of all (8 chars and less as typical) LUGNET filter approved
passwords is?  Remember the more you restrict the keyspace the less
secure it is mathematically.

http://news.lugnet.com/admin/general/?n=5788


[...] On the other hand, a server could probably get around that by
making a password mutex for each IP address, whereupon failure the process
who owns the mutex would delay some number of seconds before releasing the
mutex to the next process.  That way, no HTTP process checking a pw could
step around any other.

Problem solved (login locking).

I'm very tempted to head in that direction.  Even not relaxing the strictness
of the validator, I think it would be wise.


cookie=no dely, unless you are concerned with people hacking cookie/ip pairs.

Cooking hacking is the logical place for crackers to focus since it's easy
to make the HTTP logs look less un-normal than ten thousand hits all on the
same URL.

BTW, what is cookie/ip pair?


but successful user/pw login should be delayed exactly the same as user/pw
failiure.

Why delay successful logins?  I thought the only thing that's important is
that the failures take the same amount of time (or a random amount of time).
If two failures take a different amount of time proportional to something like
the matching portion (some old systems long ago did this) people can exploit
that, but what could be exploited by not delaying on a successful attempt?
You can't not give some sort of positive feedback to the user upon success.


If you really wanted to be slick, drop successful and unsuccessful
logins into the homepage with no indication of login status.  Give successful
and unsuccessful logins similar cookies.  Of course that would impact
the user experience so you wouldn't do that :)

That would bad for users, ya.

--Todd



Message has 1 Reply:
  Re: Password checks (was: Re: LUGNET Memberships)
 
(...) The BrickShelf uses the cookie returned *and* the ip address that the cookie was issued to for reauthenticate login. Nobody has complained about loosing login yet via multiple proxies (i.e. aol). Also, cookies can be made *much* more difficult (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)

Message is in Reply To:
  Re: LUGNET Memberships
 
(...) Um, yes I know that. It's also possible to generate "human random" dictionaries that speed up brute force of "strong" passwords where users are forced within certain limits. BTW, I wonder what the keyspace is of all (8 chars and less as (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)

113 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact

This Message and its Replies on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    
Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR