Recently WiFi encryption was brute forced by using the parellel processing power of the modern GPU http://is.gd/4fhb. What other real-life problems do you think will benefit from similar techniques? ...
At work we have two competing theories for salts. The products I work on use something like a user name or phone number to salt the hash. Essentially something that is different for each user but is readily available to us. The other product randomly generates a salt for each user and changes each time the user changes the password. ...
Hi guys I'm a junior student and I had a course called The Design and Analysis of Algorithms,The course is cool but the instructor is not any way, I dont understand the brute force and how to count the number of operations and how to count the time complexity(worst,best,avg), I tried to search for it on the net but each time I end with ...
This is my first post here so be easy on me! I'm a beginner C++ programmer, and to stretch my mind I've been trying some of the problems on projecteuler.net. Despite an interest in maths at school, I've found myself automatically going for brute force solutions to the problems, rather than looking for something streamlined or elegant. ...
As a response to the recent Twitter hijackings and Jeff's post on Dictionary Attacks, what is the best way to secure your website against brute force login attacks? Jeff's post suggests putting in an increasing delay for each attempted login, and a suggestion in the comments is to add a captcha after the 2nd failed attempt. Both these ...
Hello, i'd like to prevent bots from hacking weak password-protected accounts. (e.g. this happend to ebay and other big sites) So i'll set a (mem-) cached value with the ip, amount of tries and timestamp of last try (memcache-fall-out). But what about bots trying to open any account with just one password. For example, the bot tries a...
First, a little background: It is no secret that I am implementing an auth+auth system for CodeIgniter, and so far I'm winning (so to speak). But I've run into a pretty non-trivial challenge (one that most auth libraries miss entirely, but I insist on handling it properly): how to deal intelligently with large-scale, distributed, variabl...
Friday afternoon seems like a good time to ask this question... A while back I was trying to brute force a remote control which sent a 12 bit binary 'key'. The device I made worked, but was very slow as it was trying every combination at about 50 bits per second (4096 codes = 49152 bits = ~16 minutes) I opened the receiver and found i...
Hi there, I'm seeing web apps implementing limitations for user login attempts. Is it a security necessity and, if so, why? For example: you had three failed login attempts, let's try again in 10 minutes!! thanks :) ...
Hi, I have a customer that has an old non-existant application; he had a problem with the company that made the application and they won't disclose his database password. He realized that he signed a contract (back then) where it said that he was sort of "renting" the application and they had no right to disclose anything. This customer...
Will it shut down & lock up after repeated false password tries, and/or will it add lags in-between retries? Or does this depend on which modules you or your provider install? Thanks! ...
I am using the following code to generate an encrypted token: var ticket = new System.Web.Security.FormsAuthenticationTicket( 2, "", DateTime.Now, DateTime.Now.AddMinutes(10), false, "user id here"); var cipherText = System.Web.Security.FormsAuthentication.Encrypt(ticket); This code uses the key and algori...
This problem is similar to blind SQL injections. The goal is to determine the exact value of a string, and the only test you can do is to see if a DOS-style wildcard (? = any character, * = any number of any characters) you specify is matched by the string. (So practically you only have access to a bool DoesWildcardMatch(string wildcard)...
AES and other modern encryption algorithm are considered strong and sometimes one can see quotes like "it's not recommended to use classic zip encryption since it is no longer considered strong". But is there a really non-linear difference between them? For example, if both produce sequences with high entropy, does it mean that with a ve...
I need to turn on networking for MySQLd, but every time I do, the server gets brute-forced into oblivion. Some mean password guessing script starts hammering on the server, opening a connection on port 3306 and trying random passwords forever. How can I stop this from happening? For SSH, I use denyhosts, which works well. Is there a ...
How you could calculate size of brute force method dynamically? For example how many iterations and space would take if you printed all IPv6 addresses from 0:0:0:0:0:0:0:0 - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff to file? The tricky parts are those when length of line varies. IP address is only example. Idea is that you give the forma...
Thanks for looking. All sincerely helpful answers are voted up. I use a password strength meter to let the user know how strong the password they've chosen is. But this password checker obviously doesn't cover how weak under a dictionary attack the password is. How can I check for that, and is it worth it? Also my regular password ch...
Hopefully simple, but can't find any such option. I have a data table -- has say... 10 rows in it. Some fields on the form are bound to the table.columns respectively by name. On another form that HAS a grid, as I scroll the grid, the detail fields are refreshed as expected since the grid does some magic to trigger the DataTable recor...
I am trying to write a script to prevent brute-force login attempts in a website I'm building. The logic goes something like this: User sends login information. Check if username and password is correct If Yes, let them in. If No, record a failed attempt in the database. Check if there's too many fails within a given timeframe (eg: 5 ...
Hello, I am trying to develop a program in C that will "crack" the crypt(3) encryption used by UNIX. The most naive way to do it is brute forcing I guess. I thought I should create an array containing all the symbols a password can have and then get all possible permutations of them and store them in a two-dimensional array (where all th...