Brute Force Login

Discussions related to the forums itself. Call for moderators. Trash Posts area.
Post Reply
User avatar
MakeItGraphic
Fast Inserter
Fast Inserter
Posts: 237
Joined: Sat Jan 06, 2018 7:53 am
Contact:

Brute Force Login

Post by MakeItGraphic »

It would be nice if your account locked out after so many attempts. I was essentially able to brute force my account after 13 failed attempts.

I knew my password was a word with a mix of standard keys and alphanumeric keys. From there I just started going down the list of possibilities till it logged me in. I can only imagine the possibilities :twisted:.

Also the captcha never raised for me, and after a few more failed attempts it goes away all together and repeat.

Edit: sorry I posted this to the wrong place earlier

Koub
Global Moderator
Global Moderator
Posts: 7175
Joined: Fri May 30, 2014 8:54 am
Contact:

Re: Brute Force Login

Post by Koub »

I'd rather have an increasingly long cooldown between each subsequent try after the 3 first failed.
It would make the bruteforce impractical without needing any administration ("please help me my account is locked").
Koub - Please consider English is not my native language.

User avatar
MakeItGraphic
Fast Inserter
Fast Inserter
Posts: 237
Joined: Sat Jan 06, 2018 7:53 am
Contact:

Re: Brute Force Login

Post by MakeItGraphic »

I think cooldowns are a bit dated security wise for these type of platforms.

I would have expected:
  • after x amount of failed attempts account is locked
  • email is sent with token id to verify the user (one that expires after a short period)
  • once it is verified that the particular user in question indeed did send a request for help redirect to prompt to change password
  • once password is changed proceed to login


Administration would only have to be involved if the person forgot, or lost access to their email address. Which at that point without 2FA, I'd say they're pretty SOL.

Edit: I know the security of this forum is based on the limitations of phpBB.

Just a quick google pulls up a similar suggestion to yours which is a cooldown https://coderwall.com/p/sauviq/brute-fo ... ion-in-php based on IP address.

Actually add BB to my google result :facepalm: https://www.phpbb.com/community/viewtopic.php?t=1947925 shows the captcha is supposed to be in place to prevent this, but it never prompted for me beyond a notice you must use captcha. Was 100% ignorable .

Koub
Global Moderator
Global Moderator
Posts: 7175
Joined: Fri May 30, 2014 8:54 am
Contact:

Re: Brute Force Login

Post by Koub »

MakeItGraphic wrote:
Tue Jun 09, 2020 10:52 pm
I think cooldowns are a bit dated security wise for these type of platforms.

I would have expected:
  • after x amount of failed attempts account is locked
  • email is sent with token id to verify the user (one that expires after a short period)
  • once it is verified that the particular user in question indeed did send a request for help redirect to prompt to change password
  • once password is changed proceed to login
I'm no security expert, but I see how this could be abused : just try to bruteforce ALL accounts , lock them all, and let the shitstorm hit people who do tech support.
A cooldown is great in that what makes bruteforcing viable is the ability to make millions of retries in an eyeblink. Just add a 1s cooldown, and you'd need one week for a million retries. Add cumulative 1s cooldown for each unsuccessful retry, you'd need in the 15k years for 1M attempts.

A cooldown for each unsuccessful authentication should be an efficient anti-bruteforce mechanism, or at least part of any anti-bruteforce solution.
Koub - Please consider English is not my native language.

User avatar
Oktokolo
Filter Inserter
Filter Inserter
Posts: 883
Joined: Wed Jul 12, 2017 5:45 pm
Contact:

Re: Brute Force Login

Post by Oktokolo »

I would opt for three tries and then ten seconds wait time until the next try. If you can brute force a password under that conditions, the password is crap anyway (you obviously also need some defense against distributed attacks - but that is something that has to be solved before traffic reaches the web server).

People should switch to using a password manager like keepassXC and use auto-generated random passwords with a length of twenty or more characters. The hardest part really is gaining the knowledge, that password managers exist (and by reading this, you already are past that).

There is only one excuse for using weak passwords on the net: The account is disposable!

Koub
Global Moderator
Global Moderator
Posts: 7175
Joined: Fri May 30, 2014 8:54 am
Contact:

Re: Brute Force Login

Post by Koub »

I use https://keepass.info/. I admit the fact it's was approved by the ANSSI (the French National IS Security Agency) did play a significant role in my choice, being French myself :P.
Obviously, I agree with Oktokolo.
Koub - Please consider English is not my native language.

User avatar
MakeItGraphic
Fast Inserter
Fast Inserter
Posts: 237
Joined: Sat Jan 06, 2018 7:53 am
Contact:

Re: Brute Force Login

Post by MakeItGraphic »

Koub wrote:
Wed Jun 10, 2020 6:21 am
MakeItGraphic wrote:
Tue Jun 09, 2020 10:52 pm
I think cooldowns are a bit dated security wise for these type of platforms.

I would have expected:
  • after x amount of failed attempts account is locked
  • email is sent with token id to verify the user (one that expires after a short period)
  • once it is verified that the particular user in question indeed did send a request for help redirect to prompt to change password
  • once password is changed proceed to login
I'm no security expert, but I see how this could be abused : just try to bruteforce ALL accounts , lock them all, and let the shitstorm hit people who do tech support.
A cooldown is great in that what makes bruteforcing viable is the ability to make millions of retries in an eyeblink. Just add a 1s cooldown, and you'd need one week for a million retries. Add cumulative 1s cooldown for each unsuccessful retry, you'd need in the 15k years for 1M attempts.

A cooldown for each unsuccessful authentication should be an efficient anti-bruteforce mechanism, or at least part of any anti-bruteforce solution.
Usually if there is a successful login from a known IP it bypasses the account lockout. If it is originating from a known IP you will receive a security message to your email that suspicious activity has occurred on your account. Then it forces you to change your password, or secure your account.

In anycase I don't think phpBB supports this. Which goes back to cooldown methods, such as by IP, or account name. 3 failed logins and a cooldown would prevent dictionary attacks if the cooldown was by account name. Which is what the captcha is supposed to be for.

But like I said before the captcha never worked for me. Is why I was suggesting other methods.

User avatar
Oktokolo
Filter Inserter
Filter Inserter
Posts: 883
Joined: Wed Jul 12, 2017 5:45 pm
Contact:

Re: Brute Force Login

Post by Oktokolo »

MakeItGraphic wrote:
Wed Jun 10, 2020 11:45 am
Usually if there is a successful login from a known IP it bypasses the account lockout.
If you can try to login while you (not the account, but your IP) is on lockout, there is no point in having the lockout at all.
The goal is to prevent bruteforcing, not to let the attacker in and then make the user react to that. Successful intrusion might be irrelevant for a gaming site (Blizzard might be of a different opinion though).
But normally, the valuable things are the ability to impersonate the account owner or access personal data. Both can be done after intrusion and before the real owner sets a secure password for the first time.

You can still inform the user about login attempts or successfull logins from unusual IP ranges. But never force credential changes because of such statistic data points. It is well known, that geolocation doesn't always work how it should, some of us travel a lot, and being able to use the whole net over things like TOR would actually be a nice utopia.
Also, i don't want to generate a new password because some botnet tried to brute the account (and probably all the other accounts too) using hundreds or thousands of IP addresses (no, it would not get in because my passwords are random and loooong - but you can't know for sure, that my successful login is not part of the attack).

User avatar
MakeItGraphic
Fast Inserter
Fast Inserter
Posts: 237
Joined: Sat Jan 06, 2018 7:53 am
Contact:

Re: Brute Force Login

Post by MakeItGraphic »

Oktokolo wrote:
Wed Jun 10, 2020 2:53 pm
MakeItGraphic wrote:
Wed Jun 10, 2020 11:45 am
Usually if there is a successful login from a known IP it bypasses the account lockout.
If you can try to login while you (not the account, but your IP) is on lockout, there is no point in having the lockout at all.
The logic isn't going to allow for that at all. If an account is seeing x IPs that are not trusted/known IPs attempting to make access to the account then yes it will lock them out. But if you come along to login as the actual user from a normal IP address usually yes it will log you in. Then it will inform you that these unauthorized addresses have attempted to gain access.

User avatar
Oktokolo
Filter Inserter
Filter Inserter
Posts: 883
Joined: Wed Jul 12, 2017 5:45 pm
Contact:

Re: Brute Force Login

Post by Oktokolo »

MakeItGraphic wrote:
Wed Jun 10, 2020 4:22 pm
If an account is seeing x IPs that are not trusted/known IPs attempting to make access to the account then yes it will lock them out. But if you come along to login as the actual user from a normal IP address usually yes it will log you in.
Most Internet users worldwide don't have a fixed IP. So a huge part of the users have a different IP every day - especially, when logging in from a mobile device. Also, as users get different IPs assigned, the former IP of a user becomes someone else's IP.
And of course are only that IPs locked out, wich already got their N tries over a time period.

User avatar
MakeItGraphic
Fast Inserter
Fast Inserter
Posts: 237
Joined: Sat Jan 06, 2018 7:53 am
Contact:

Re: Brute Force Login

Post by MakeItGraphic »

Oktokolo wrote:
Wed Jun 10, 2020 8:00 pm
MakeItGraphic wrote:
Wed Jun 10, 2020 4:22 pm
If an account is seeing x IPs that are not trusted/known IPs attempting to make access to the account then yes it will lock them out. But if you come along to login as the actual user from a normal IP address usually yes it will log you in.
Most Internet users worldwide don't have a fixed IP. So a huge part of the users have a different IP every day - especially, when logging in from a mobile device. Also, as users get different IPs assigned, the former IP of a user becomes someone else's IP.
And of course are only that IPs locked out, wich already got their N tries over a time period.
I don't work for google, or the other numerous companies that use these methods. I'm sure you can read about it online somewhere. The logic isn't so black and white. And discussing it is going to continue to be circular on the manner.

All I know in regards to this forum, and the phpBB is that the Brute Force Login prevention method in the Admin Panel of x Amount of failed attempts before captcha rises is not working correctly. As per captcha not actually rising.

Beyond methods outside of phpBB again I don't know what that would look like, I was merely trying to make suggestions not rouse up a debate. My apologies if my information in regards to alternative security methods is lacking I am simply going based off my day to day user experience with the 90% or so of logins I have with various websites.

Whatever the Factorio team choose to do with the information is, and always have been up to them. I was just trying to bring up the fact there is an issue with the login system at the current time, with the current implementations made.

I should have just deleted my second response before the EDIT mark and been done with it. And that was 100% my mistake.

In summary this is an issue with the CAPTCHA not working to prevent Brute Force Login attempts on login.

Post Reply

Return to “This Forum”