Brute Force Login
- MakeItGraphic
- Fast Inserter
- Posts: 237
- Joined: Sat Jan 06, 2018 7:53 am
- Contact:
Brute Force Login
It would be nice if your account locked out after so many attempts. I was essentially able to brute force my account after 13 failed attempts.
I knew my password was a word with a mix of standard keys and alphanumeric keys. From there I just started going down the list of possibilities till it logged me in. I can only imagine the possibilities .
Also the captcha never raised for me, and after a few more failed attempts it goes away all together and repeat.
Edit: sorry I posted this to the wrong place earlier
I knew my password was a word with a mix of standard keys and alphanumeric keys. From there I just started going down the list of possibilities till it logged me in. I can only imagine the possibilities .
Also the captcha never raised for me, and after a few more failed attempts it goes away all together and repeat.
Edit: sorry I posted this to the wrong place earlier
Re: Brute Force Login
I'd rather have an increasingly long cooldown between each subsequent try after the 3 first failed.
It would make the bruteforce impractical without needing any administration ("please help me my account is locked").
It would make the bruteforce impractical without needing any administration ("please help me my account is locked").
Koub - Please consider English is not my native language.
- MakeItGraphic
- Fast Inserter
- Posts: 237
- Joined: Sat Jan 06, 2018 7:53 am
- Contact:
Re: Brute Force Login
I think cooldowns are a bit dated security wise for these type of platforms.
I would have expected:
Administration would only have to be involved if the person forgot, or lost access to their email address. Which at that point without 2FA, I'd say they're pretty SOL.
Edit: I know the security of this forum is based on the limitations of phpBB.
Just a quick google pulls up a similar suggestion to yours which is a cooldown https://coderwall.com/p/sauviq/brute-fo ... ion-in-php based on IP address.
Actually add BB to my google result :facepalm: https://www.phpbb.com/community/viewtopic.php?t=1947925 shows the captcha is supposed to be in place to prevent this, but it never prompted for me beyond a notice you must use captcha. Was 100% ignorable .
I would have expected:
- after x amount of failed attempts account is locked
- email is sent with token id to verify the user (one that expires after a short period)
- once it is verified that the particular user in question indeed did send a request for help redirect to prompt to change password
- once password is changed proceed to login
Administration would only have to be involved if the person forgot, or lost access to their email address. Which at that point without 2FA, I'd say they're pretty SOL.
Edit: I know the security of this forum is based on the limitations of phpBB.
Just a quick google pulls up a similar suggestion to yours which is a cooldown https://coderwall.com/p/sauviq/brute-fo ... ion-in-php based on IP address.
Actually add BB to my google result :facepalm: https://www.phpbb.com/community/viewtopic.php?t=1947925 shows the captcha is supposed to be in place to prevent this, but it never prompted for me beyond a notice you must use captcha. Was 100% ignorable .
Re: Brute Force Login
I'm no security expert, but I see how this could be abused : just try to bruteforce ALL accounts , lock them all, and let the shitstorm hit people who do tech support.MakeItGraphic wrote: ↑Tue Jun 09, 2020 10:52 pmI think cooldowns are a bit dated security wise for these type of platforms.
I would have expected:
- after x amount of failed attempts account is locked
- email is sent with token id to verify the user (one that expires after a short period)
- once it is verified that the particular user in question indeed did send a request for help redirect to prompt to change password
- once password is changed proceed to login
A cooldown is great in that what makes bruteforcing viable is the ability to make millions of retries in an eyeblink. Just add a 1s cooldown, and you'd need one week for a million retries. Add cumulative 1s cooldown for each unsuccessful retry, you'd need in the 15k years for 1M attempts.
A cooldown for each unsuccessful authentication should be an efficient anti-bruteforce mechanism, or at least part of any anti-bruteforce solution.
Koub - Please consider English is not my native language.
Re: Brute Force Login
I would opt for three tries and then ten seconds wait time until the next try. If you can brute force a password under that conditions, the password is crap anyway (you obviously also need some defense against distributed attacks - but that is something that has to be solved before traffic reaches the web server).
People should switch to using a password manager like keepassXC and use auto-generated random passwords with a length of twenty or more characters. The hardest part really is gaining the knowledge, that password managers exist (and by reading this, you already are past that).
There is only one excuse for using weak passwords on the net: The account is disposable!
People should switch to using a password manager like keepassXC and use auto-generated random passwords with a length of twenty or more characters. The hardest part really is gaining the knowledge, that password managers exist (and by reading this, you already are past that).
There is only one excuse for using weak passwords on the net: The account is disposable!
Re: Brute Force Login
I use https://keepass.info/. I admit the fact it's was approved by the ANSSI (the French National IS Security Agency) did play a significant role in my choice, being French myself .
Obviously, I agree with Oktokolo.
Obviously, I agree with Oktokolo.
Koub - Please consider English is not my native language.
- MakeItGraphic
- Fast Inserter
- Posts: 237
- Joined: Sat Jan 06, 2018 7:53 am
- Contact:
Re: Brute Force Login
Usually if there is a successful login from a known IP it bypasses the account lockout. If it is originating from a known IP you will receive a security message to your email that suspicious activity has occurred on your account. Then it forces you to change your password, or secure your account.Koub wrote: ↑Wed Jun 10, 2020 6:21 amI'm no security expert, but I see how this could be abused : just try to bruteforce ALL accounts , lock them all, and let the shitstorm hit people who do tech support.MakeItGraphic wrote: ↑Tue Jun 09, 2020 10:52 pmI think cooldowns are a bit dated security wise for these type of platforms.
I would have expected:
- after x amount of failed attempts account is locked
- email is sent with token id to verify the user (one that expires after a short period)
- once it is verified that the particular user in question indeed did send a request for help redirect to prompt to change password
- once password is changed proceed to login
A cooldown is great in that what makes bruteforcing viable is the ability to make millions of retries in an eyeblink. Just add a 1s cooldown, and you'd need one week for a million retries. Add cumulative 1s cooldown for each unsuccessful retry, you'd need in the 15k years for 1M attempts.
A cooldown for each unsuccessful authentication should be an efficient anti-bruteforce mechanism, or at least part of any anti-bruteforce solution.
In anycase I don't think phpBB supports this. Which goes back to cooldown methods, such as by IP, or account name. 3 failed logins and a cooldown would prevent dictionary attacks if the cooldown was by account name. Which is what the captcha is supposed to be for.
But like I said before the captcha never worked for me. Is why I was suggesting other methods.
Re: Brute Force Login
If you can try to login while you (not the account, but your IP) is on lockout, there is no point in having the lockout at all.MakeItGraphic wrote: ↑Wed Jun 10, 2020 11:45 amUsually if there is a successful login from a known IP it bypasses the account lockout.
The goal is to prevent bruteforcing, not to let the attacker in and then make the user react to that. Successful intrusion might be irrelevant for a gaming site (Blizzard might be of a different opinion though).
But normally, the valuable things are the ability to impersonate the account owner or access personal data. Both can be done after intrusion and before the real owner sets a secure password for the first time.
You can still inform the user about login attempts or successfull logins from unusual IP ranges. But never force credential changes because of such statistic data points. It is well known, that geolocation doesn't always work how it should, some of us travel a lot, and being able to use the whole net over things like TOR would actually be a nice utopia.
Also, i don't want to generate a new password because some botnet tried to brute the account (and probably all the other accounts too) using hundreds or thousands of IP addresses (no, it would not get in because my passwords are random and loooong - but you can't know for sure, that my successful login is not part of the attack).
- MakeItGraphic
- Fast Inserter
- Posts: 237
- Joined: Sat Jan 06, 2018 7:53 am
- Contact:
Re: Brute Force Login
The logic isn't going to allow for that at all. If an account is seeing x IPs that are not trusted/known IPs attempting to make access to the account then yes it will lock them out. But if you come along to login as the actual user from a normal IP address usually yes it will log you in. Then it will inform you that these unauthorized addresses have attempted to gain access.Oktokolo wrote: ↑Wed Jun 10, 2020 2:53 pmIf you can try to login while you (not the account, but your IP) is on lockout, there is no point in having the lockout at all.MakeItGraphic wrote: ↑Wed Jun 10, 2020 11:45 amUsually if there is a successful login from a known IP it bypasses the account lockout.
Re: Brute Force Login
Most Internet users worldwide don't have a fixed IP. So a huge part of the users have a different IP every day - especially, when logging in from a mobile device. Also, as users get different IPs assigned, the former IP of a user becomes someone else's IP.MakeItGraphic wrote: ↑Wed Jun 10, 2020 4:22 pmIf an account is seeing x IPs that are not trusted/known IPs attempting to make access to the account then yes it will lock them out. But if you come along to login as the actual user from a normal IP address usually yes it will log you in.
And of course are only that IPs locked out, wich already got their N tries over a time period.
- MakeItGraphic
- Fast Inserter
- Posts: 237
- Joined: Sat Jan 06, 2018 7:53 am
- Contact:
Re: Brute Force Login
I don't work for google, or the other numerous companies that use these methods. I'm sure you can read about it online somewhere. The logic isn't so black and white. And discussing it is going to continue to be circular on the manner.Oktokolo wrote: ↑Wed Jun 10, 2020 8:00 pmMost Internet users worldwide don't have a fixed IP. So a huge part of the users have a different IP every day - especially, when logging in from a mobile device. Also, as users get different IPs assigned, the former IP of a user becomes someone else's IP.MakeItGraphic wrote: ↑Wed Jun 10, 2020 4:22 pmIf an account is seeing x IPs that are not trusted/known IPs attempting to make access to the account then yes it will lock them out. But if you come along to login as the actual user from a normal IP address usually yes it will log you in.
And of course are only that IPs locked out, wich already got their N tries over a time period.
All I know in regards to this forum, and the phpBB is that the Brute Force Login prevention method in the Admin Panel of x Amount of failed attempts before captcha rises is not working correctly. As per captcha not actually rising.
Beyond methods outside of phpBB again I don't know what that would look like, I was merely trying to make suggestions not rouse up a debate. My apologies if my information in regards to alternative security methods is lacking I am simply going based off my day to day user experience with the 90% or so of logins I have with various websites.
Whatever the Factorio team choose to do with the information is, and always have been up to them. I was just trying to bring up the fact there is an issue with the login system at the current time, with the current implementations made.
I should have just deleted my second response before the EDIT mark and been done with it. And that was 100% my mistake.
In summary this is an issue with the CAPTCHA not working to prevent Brute Force Login attempts on login.