tags:

views:

747

answers:

7

Recently i read an article is about prevent brute-force attack. It said that automatically disabling user accounts is a poor security mechanism to fight a dictionary attack. In the first place, If an attacker can disable an account by incorrectly guessing its password three times every 30 minutes, he can effectively prevent that user from ever accessing the system. In the second place, because this technique assumes that the attacker is keeping the username constant and varying the password. What if the attacker instead kept the password constant and varied the username? We already know that a large percentage of users use common passwords like “password”. A hacker using a dictionary attack could try “password” for each of the users in his username list, which would not only have a high chance of success, but would also evade the account lockout logic. An attacker could make thousands of login attempts, and even if every one of them failed, the system will only register one incorrect login per account.

Can anyone give me some suggestions to make the disable account more secure ?

+1  A: 

Force stronger passwords. It's not fool-proof, but it's better than locking out a user.

geowa4
+1  A: 

Try to use a CAPTCHA to check if it is a human or a bot that is trying to login, after three incorrect login attempts.

Alan Haggai Alavi
software can almost read captchas better than i can...
geowa4
I mean, harder, noisy CAPTCHAs.
Alan Haggai Alavi
use reCAPTCHA, its free, more secure than most captchas and helps a great cause.
Keivan
+2  A: 

Locking an account after a few attempts makes brute forcing ineffective for a given account. That alone is a huge advantage over not having it.

Locking out an IP after a few login attempts render the brute-forcing-usernames attack ineffective (unless you are up against a bot-net or similarly complex attacker, for example). Having that is better than not.

Edit: When I say "locking an account", I am referring to a short period of time (30 seconds then 1 minute then 2 minutes then 4 minutes then 8 minutes etc...)

I also cannot stand when you have to "Call customer support for help" when you are trying to get something done.

gahooa
locking out a user is annoying to those who have been locked out. *first-hand experience*
geowa4
Do you mean that after the first failed login attempt, for example, the response would be delayed by 30 second. After the second failed attempt, the response would be delayed by 1 minutes, and so on ?
Yes, you accommodate the user by not "freezing their account" -- just delay login for an increasing number of seconds per each failed attempt.
gahooa
+1  A: 

What about doing something like gmail. If you miss x times, then you must enter a captcha.

Macarse
A: 

I have seen a few website that don't block you permanently but block you for a set period if you try to bruit force. actually that's what windows does too, try entering your windows password wrong for a few times and your computer will freeze for a minute or so.

Keivan
A: 

It's important to remember that security measures aren't intended to keep the bad guys out, they're just ways of making it harder (hopefully NP Hard) for the bad guys to get in... a state-of-the-art tripple-tumber door won't keep out a burglar who knows how to lift roof tiles, or a pyscho with a bomb belt.

I admit: I hadn't thought of the 30 minute retry --> permanent user lockout --> denial of service attack angle... In my world a password lockout is permanent until a sysadmin "manually" reenables the account. That seems to work for us.

As gahooa already stated, possibly the best approach, if you can work-out how to do it, would be to black-list the originating IP address for any detected bot activity.

As Alan already stated, a human-only-readable gate is one practical (almost standard these days) way of keeping the bots out of your living-room.

Cheers. Keith.

corlettk
+2  A: 

A few ideas:

  1. You can keep a history of the IP address(es) that have historically been used to login to a given account. The lockout mechanism can be helpful, but be a little more lenient on those recognized addresses to avoid making a user's bad day worse.

  2. For the other situation with one IP trying the same password on many accounts, keep track of whether the same IP address has had a number of invalid attempts on different accounts, and lock out that IP for an hour or so.

  3. In the case of a botnet using many IPs to try the same password on many accounts, keep track of whether there has been a barrage of IP addresses attempting the same password. If so, temporarily make it so that password must be entered twice in a row even if it's correct. (Normal users will just think they mistyped their password.)

  4. As mentioned, if an attack is detected, temporarily require a captcha or some other security question (in addition to pretending a valid password was incorrect on the first try). While captcha-reading tools are possible, I don't think they're prevalent just yet, and OCR requires a lot of CPU time.

James M.