brute-force

What are some practical problems that parallel computing, f#, and GPU-parallel processing might solve.

Recently WiFi encryption was brute forced by using the parellel processing power of the modern GPU http://is.gd/4fhb. What other real-life problems do you think will benefit from similar techniques? ...

The necessity of hiding the salt for a hash

At work we have two competing theories for salts. The products I work on use something like a user name or phone number to salt the hash. Essentially something that is different for each user but is readily available to us. The other product randomly generates a salt for each user and changes each time the user changes the password. ...

Brute force , Need help

Hi guys I'm a junior student and I had a course called The Design and Analysis of Algorithms,The course is cool but the instructor is not any way, I dont understand the brute force and how to count the number of operations and how to count the time complexity(worst,best,avg), I tried to search for it on the net but each time I end with ...

Is a preference for brute force solutions a bad sign?

This is my first post here so be easy on me! I'm a beginner C++ programmer, and to stretch my mind I've been trying some of the problems on projecteuler.net. Despite an interest in maths at school, I've found myself automatically going for brute force solutions to the problems, rather than looking for something streamlined or elegant. ...

Preventing Brute Force Logins on Websites

As a response to the recent Twitter hijackings and Jeff's post on Dictionary Attacks, what is the best way to secure your website against brute force login attacks? Jeff's post suggests putting in an increasing delay for each attempted login, and a suggestion in the comments is to add a captcha after the 2nd failed attempt. Both these ...

Best practice against password-list-attacks with webapplications

Hello, i'd like to prevent bots from hacking weak password-protected accounts. (e.g. this happend to ebay and other big sites) So i'll set a (mem-) cached value with the ip, amount of tries and timestamp of last try (memcache-fall-out). But what about bots trying to open any account with just one password. For example, the bot tries a...

What is the best Distributed Brute Force countermeasure?

First, a little background: It is no secret that I am implementing an auth+auth system for CodeIgniter, and so far I'm winning (so to speak). But I've run into a pretty non-trivial challenge (one that most auth libraries miss entirely, but I insist on handling it properly): how to deal intelligently with large-scale, distributed, variabl...

How would I go about implementing this algorithm?

Friday afternoon seems like a good time to ask this question... A while back I was trying to brute force a remote control which sent a 12 bit binary 'key'. The device I made worked, but was very slow as it was trying every combination at about 50 bits per second (4096 codes = 49152 bits = ~16 minutes) I opened the receiver and found i...

Limiting user login attempts in PHP

Hi there, I'm seeing web apps implementing limitations for user login attempts. Is it a security necessity and, if so, why? For example: you had three failed login attempts, let's try again in 10 minutes!! thanks :) ...

Finding a legacy firebird/Interbase database password

Hi, I have a customer that has an old non-existant application; he had a problem with the company that made the application and they won't disclose his database password. He realized that he signed a contract (back then) where it said that he was sort of "renting" the application and they had no right to disclose anything. This customer...

Does Apache basic authentication defend brute force attacks?

Will it shut down & lock up after repeated false password tries, and/or will it add lags in-between retries? Or does this depend on which modules you or your provider install? Thanks! ...

Could validationKey and decryptionKey be found by brute force from encrypted cookie value?

I am using the following code to generate an encrypted token: var ticket = new System.Web.Security.FormsAuthenticationTicket( 2, "", DateTime.Now, DateTime.Now.AddMinutes(10), false, "user id here"); var cipherText = System.Web.Security.FormsAuthentication.Encrypt(ticket); This code uses the key and algori...

Fastest way to bruteforce a string using a DOS wildcard

This problem is similar to blind SQL injections. The goal is to determine the exact value of a string, and the only test you can do is to see if a DOS-style wildcard (? = any character, * = any number of any characters) you specify is matched by the string. (So practically you only have access to a bool DoesWildcardMatch(string wildcard)...

Is there non-linear difference between strong (i.e. AES) and non-strong (i.e. classic zip) encryption

AES and other modern encryption algorithm are considered strong and sometimes one can see quotes like "it's not recommended to use classic zip encryption since it is no longer considered strong". But is there a really non-linear difference between them? For example, if both produce sequences with high entropy, does it mean that with a ve...

Preventing brute-force attacks on MySQL?

I need to turn on networking for MySQLd, but every time I do, the server gets brute-forced into oblivion. Some mean password guessing script starts hammering on the server, opening a connection on port 3306 and trying random passwords forever. How can I stop this from happening? For SSH, I use denyhosts, which works well. Is there a ...

Calculate brute force size dynamically?

How you could calculate size of brute force method dynamically? For example how many iterations and space would take if you printed all IPv6 addresses from 0:0:0:0:0:0:0:0 - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff to file? The tricky parts are those when length of line varies. IP address is only example. Idea is that you give the forma...

Is the password weak under dictionary attack

Thanks for looking. All sincerely helpful answers are voted up. I use a password strength meter to let the user know how strong the password they've chosen is. But this password checker obviously doesn't cover how weak under a dictionary attack the password is. How can I check for that, and is it worth it? Also my regular password ch...

Moving to specific record within a DataTable

Hopefully simple, but can't find any such option. I have a data table -- has say... 10 rows in it. Some fields on the form are bound to the table.columns respectively by name. On another form that HAS a grid, as I scroll the grid, the detail fields are refreshed as expected since the grid does some magic to trigger the DataTable recor...

Brute-force/DoS prevention in PHP

I am trying to write a script to prevent brute-force login attempts in a website I'm building. The logic goes something like this: User sends login information. Check if username and password is correct If Yes, let them in. If No, record a failed attempt in the database. Check if there's too many fails within a given timeframe (eg: 5 ...

Need help with brute force code for crypt(3)

Hello, I am trying to develop a program in C that will "crack" the crypt(3) encryption used by UNIX. The most naive way to do it is brute forcing I guess. I thought I should create an array containing all the symbols a password can have and then get all possible permutations of them and store them in a two-dimensional array (where all th...