Focus on Linux
Re: Detecting Brute-Force and Dictionary attacks Nov 08 2006 05:22PM
Sebastiaan Veenstra (sebastiaan veenstra gmail com) (2 replies)
Re: Detecting Brute-Force and Dictionary attacks Nov 10 2006 01:43PM
Cy Schubert (Cy Schubert spqr komquats com)
Re: Detecting Brute-Force and Dictionary attacks Nov 09 2006 06:45PM
fabio (ctrlaltca libero it) (2 replies)
Re: Detecting Brute-Force and Dictionary attacks Nov 11 2006 04:19PM
Christian Jonassen (flyrev gmail com) (1 replies)
Re: Detecting Brute-Force and Dictionary attacks Nov 13 2006 07:35PM
Esteban RibičiÄ? (kisero gmail com)
I don't think lenght would work as most password are 7 or 8
characters, if u say more than two characters is a bague assumption,
the number of tries you can perform is huge !

My suggestion is check refer header , send a cookie with token and
track delta times between tries ...brute force many times relays not
on passwrod cracking, many times its useer as well...

Having monitored the number of logins iss a common practice to fire
alarms to noc guys...

My 5p

On 11/11/06, Christian Jonassen <flyrev (at) gmail (dot) com [email concealed]> wrote:
> Hi
>
> What if you store the lengths of the passwords instead? With a typo
> they won't be off by more than perhaps one or two characters, but with
> a brutce force or dictionary attack they would be way off. Another
> idea might be to have a dictionary list, and see if any of the tried
> passwords is a dictionary word. For the users, there would be rules
> against having dictionary words as passwords, and one could implement
> the same principle there: If the chosen password matches a dictionary
> word, a no-no message is what you get. In the case that the attacker
> knows the password policies (if it's an open system where everyone can
> register, for instance), at least you have gotten ridden of dictionary
> attacks for good.
>
> Best regards
> Christian J
>
> On 11/9/06, fabio <ctrlaltca (at) libero (dot) it [email concealed]> wrote:
> > The idea is simple and good, but there's a problem in its
> > implementation: usually modern systems doesn't compare the password you
> > write with the saved password; instead, they compare an hash of your
> > password attempt with the saved hash of your current password. By
> > design, two similar string have strongly different hashes. So you can't
> > compare two hashes and say if they correspond to two similar words.
> > Greets,
> > Fabio
> >
> >
> >
> > Sebastiaan Veenstra wrote:
> > > Hi,
> > >
> > > I didn't read the whole discussion about this issue but I came up with
> > > an idea which might be usefull to detect brute force attempt. By
> > > storing the passwords a certain user has used in the past along with
> > > the current password you could be able to compare to password (by
> > > pattern matching) used at the login attempts with the passwords list.
> > > If the password used differs significantly (this excludes typos) from
> > > the entries in the password list, there could be a possible brute
> > > force attempt. The reason for storing the previous passwords is that
> > > people tend to use every password they've used in the past when they
> > > forgot their password. Maybe this idea can be used along with the
> > > other methods of detecting brute force attempts. Anyway, it's just a
> > > random thought.
> > >
> > > Greets,
> > >
> > > Sebastiaan
> > >
> >
> >
>

[ reply ]
Re: Detecting Brute-Force and Dictionary attacks Nov 10 2006 11:41PM
Greg Metcalfe (metcalfegreg qwest net) (1 replies)
Re: Detecting Brute-Force and Dictionary attacks Nov 13 2006 08:46PM
John Hall (silo xptr net)


 

Privacy Statement
Copyright 2010, SecurityFocus