Avoid brute force attack

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Avoid brute force attack

    Locking Account The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator. However, account lockout is not always the best solution, because someone could easily abuse the security measure and lock out hundreds of user accounts.

    In fact, some Web sites experience so many attacks that they are unable to enforce a lockout policy because they would constantly be unlocking customer accounts.

    Added after 2 minutes:

    The problems with account lockouts are:

    *.An attacker can cause a denial of service (DoS) by locking out large numbers of accounts.

    *.Because you cannot lock out an account that does not exist, only valid account names will lock. An attacker could use this fact to harvest usernames from the site, depending on the error responses.

    *.An attacker can cause a diversion bylocking out many accounts and flooding the help desk with support calls.

    Added after 2 minutes:

    *.An attacker can continuously lock out the same account, even seconds after an administrator unlocks it, effectively disabling the account.

    *.Account lockout is ineffective against slow attacks that try only a few passwords every hour.

    *.Account lockout is ineffective against attacks that try one password against a large list of usernames.

    *.Account lockout is ineffective if the attacker is using a username/password combo list and guesses correctly on the first couple ofattempts.

    *.Powerful accounts such as administrator accounts often bypass lockout policy, but these are the most desirable accounts to attack. Some systems lock out administrator accounts only on network-based logins.

    *.Even once you lock out an account, the attack may continue, consuming valuable human and computer resources.

    Added after 2 minutes:

    Account lockout is sometimes effective, but only in controlled environments or in cases where the risk is so great that even continuous DoS attacks are preferable to account compromise. In most cases, however, account lockout is insufficient for stopping brute-force attacks. Consider,for example, an auction site on which several bidders are fighting over the same item.

    If the auction Web site enforced account lockouts, one bidder could simply lock the others' accounts in the last minute of the auction, preventing them from submitting any winning bids. An attacker could use the same technique to block critical financial transactions or e-mail communications.

    Added after 3 minutes:

    Other techniques

    *.For advanced users who want to protect their accounts from attack, give them the option to allow login only from certain IP addresses.

    *.Assign unique login URLs to blocks of users so that not all users can access the site from the same URL.

    *.Use a CAPTCHA to prevent automated attacks.

    *.Instead of completely locking out anaccount, place it in a lockdown mode with limited capabilities.
    Last edited by Rekon; 28.04.11, 15:20.
    Girls are like internet domain name, The girls i like are already taken!
Working...
X