dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
559
share rss forum feed


Telco_Tech

join:2009-05-18
Toledo, OH

What I don't understand...

...is why there are no "cool down" mechanisms built into authentication systems that are susceptible to dictionary and brute attacks. It seems to me that forcing even a five second delay in between incorrect authentication attempts would take years to crack on a reasonably strong password.

What am I missing here?

- Tate

--
It's time to let go of TDM people. If it's not IP-based, it's crap!



fifty nine

join:2002-09-25
Sussex, NJ
kudos:2

said by Telco_Tech:

...is why there are no "cool down" mechanisms built into authentication systems that are susceptible to dictionary and brute attacks. It seems to me that forcing even a five second delay in between incorrect authentication attempts would take years to crack on a reasonably strong password.

What am I missing here?

- Tate

Unix OSes do precisely that.

Necronomikro

join:2005-09-01
reply to Telco_Tech

Sometimes, you're working with a hash, and there cannot be a cooldown for such a thing - if you have the hash.

It's possible that one could sniff out packets and try to decrypt them, looking for standard packet information, bypassing any cooldown system.

An auto-rolling system would fix that, however...


Lazlow

join:2006-08-07
Saint Louis, MO

1 edit
reply to Telco_Tech

You do not need to be online with the router to test the system. You can passively "capture" the encryption(at this point you have no idea what it contains) and then feed that into the cloud.

Edit: From the link

"WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords."


cornelius785

join:2006-10-26
Worcester, MA
reply to fifty nine

well... yes and no. for someone banging away at the keyboard trying to bruteforce, then yes there is a delay. for someone with a program that creates MANY SSH connections every second each trying a different password, then no. you'll need to: limit the number of connections from a particular IP address to SSH, and block the IP after X number of failed logins/usernames.

I've seen in the past where some IP address will try hundreds of usernames (or passwords) for a SSH connection or FTP connection.


Lazlow

join:2006-08-07
Saint Louis, MO

Fail2ban is one program commonly used to block multiple login attempts from one IP. You can set how many attempts trigger it and how long the are banned for (typically 5 attempts gets you blocked for 24hrs).

However with more and more remote zombies out there even that will not work. If you have 100,000 IPs that can each try 5 passwords a day, it will not take long to find the password.



james1

join:2001-02-26
reply to Telco_Tech

said by Telco_Tech:

What am I missing here?
Only the whole point of the article apparently.


Telco_Tech

join:2009-05-18
Toledo, OH

1 edit

said by james1:

Only the whole point of the article apparently.
EDIT: Screw it. I'm not even going to bother with you.

- Tate

--
It's time to let go of TDM people. If it's not IP-based, it's crap!


james1

join:2001-02-26

said by Telco_Tech:

Screw it. I'm not even going to bother with you.
heeheee. I take it back, you're smarter than I thought.
--
said by Metatron2008:

But people who download thousands of movies and games.... Yes, they are as bad as any murderer