I've been doing some research on security and it seems like hashing/salting
passwords is a good idea - but still not really all that secure against
dictionary attacks (the salt just makes the hacker run their dictionary
against every single account - not much of a challenge for a competent
hacker)
Just wondering what value would be added by adding some column to the
database to record failed login attempts. The idea would be that the column
holds an integer value that gets incremented on every failed login attempt.
Then when it reaches some arbitrary value (say 10 failed attempts), that
particular account gets "locked" out (i.e., the validation logic would not
even try to validate the user after 10 failed attempts) and the user is
informed that they need to jump through some hoops in order to unlock the
account (call tech support or whatever). Also, this counter for failed login
attempts would get reset to zero on every successful login attempt.
Is doing something like this a good idea? Bad idea?
5  1363 
Locked accounts are typically a "bad" idea.
I implemented a CAPTCHA control instead.
Keep track of failed logins and when it exceeds your number (say 2 or 3)
then you display a CAPTCHA control with a random number or phrase on it that
a human can read but a program can't.
I also put the thread to sleep as a multiple of the number of failed log-ins
so if they keep getting it wrong it takes longer and longer to log in.
I think you can find sample CAPTCHA code using Google.
--
Joe Fallon
"Jim Slade" <Ji***@SladeInt l.com> wrote in message
news:%2******** ********@TK2MSF TNGP14.phx.gbl. .. I've been doing some research on security and it seems like
hashing/salting
passwords is a good idea - but still not really all that secure against
dictionary attacks (the salt just makes the hacker run their dictionary
against every single account - not much of a challenge for a competent
hacker)
Just wondering what value would be added by adding some column to the
database to record failed login attempts. The idea would be that the
column
holds an integer value that gets incremented on every failed login
attempt.
Then when it reaches some arbitrary value (say 10 failed attempts), that
particular account gets "locked" out (i.e., the validation logic would not
even try to validate the user after 10 failed attempts) and the user is
informed that they need to jump through some hoops in order to unlock the
account (call tech support or whatever). Also, this counter for failed
login
attempts would get reset to zero on every successful login attempt.
Is doing something like this a good idea? Bad idea?
"Joe Fallon" <jf******@nospa mtwcny.rr.com> wrote in message
news:uc******** ********@TK2MSF TNGP09.phx.gbl. .. Locked accounts are typically a "bad" idea.
Why is that ? Then how do you prevent an attacker from attempting his evil
thing ? Sooner you have to shut him out right ?
I implemented a CAPTCHA control instead.
CAPTCHA as you said is mainly used to ensure that it is not robot on the
other side. In fact, there is no one ever said that it is "the...safe tool "
to prevent automation process! Unless you really "obscure" the figure so bad
that even the top OCR device cannot decode it, but then your site would
become useless because of poor readability. Especially for disadvantage
users (I am referring to Accessibility)!
***********
So, what is the solution to Dictionary Attack ? The answer is to enforce
"strong and complex password scheme" religiously and most OSes today support
this ! This is effortless and involves no $$$ nor programming skill !
John
"Jim Slade" <Ji***@SladeInt l.com> wrote in message
news:OH******** ******@TK2MSFTN GP15.phx.gbl... << I still hesitate because it is not 100% secure solution >>
You must hesitate A LOT!
Yes, especially to Port# 80. I am trying to not be a "happy programming..."
where you just blindly code without hesitation. Example: Bill Gate is a
typical "happy coder" that many of his products have LOTS OF HOLES in them
such as IIS product, it is was attacked from left to right, to a point that
the entire product became unmanagable and had to be re-written from scratch,
and it is still being attacked ! Back to Port 80 (HTTP), I always "hesitate"
because knowing that my system is widely opened. You have no choice but
hesitate to ensure that your end is covered.
John
<< You have no choice but hesitate to ensure that your end is covered>>
How long should one hesitate to ensure that one's end is covered? If one
hesitates for an infinite duration, then is one's end infinitely covered?
Just curious... because I never hesitate. Instead, I click my heels together
three times and say "my end is covered, my end is covered, my end is
covered." But somehow I'm always getting hacked. I don't get it. Perhaps I
should hesitate between heel clicks. But for how long?
"WJ" <Jo*******@HotM ail.Com> wrote in message
news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. "Jim Slade" <Ji***@SladeInt l.com> wrote in message
news:OH******** ******@TK2MSFTN GP15.phx.gbl... << I still hesitate because it is not 100% secure solution >>
You must hesitate A LOT!
Yes, especially to Port# 80. I am trying to not be a "happy
programming..." where you just blindly code without hesitation. Example: Bill Gate is a
typical "happy coder" that many of his products have LOTS OF HOLES in them
such as IIS product, it is was attacked from left to right, to a point
that the entire product became unmanagable and had to be re-written from
scratch, and it is still being attacked ! Back to Port 80 (HTTP), I always
"hesitate" because knowing that my system is widely opened. You have no choice but
hesitate to ensure that your end is covered.
John
"Jim Slade" <Ji***@SladeInt l.com> wrote in message
news:Ov******** ******@TK2MSFTN GP12.phx.gbl...
How long should one hesitate to ensure that one's end is covered? If one
hesitates for an infinite duration, then is one's end infinitely covered?
Not too long. See, you and I know that nothing is perfect on earth. We need
to use common sense.. One of them is to patch your products, monitor them,
use best practices suggested by your vendors....and document what you are
doing so you will not be burned 2nd time for the same mistake... too many to
think of...
Lets get back to work!
BTW, always think of an alternative just in case uncle Bill no longer has
fun...
John This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Martin Lucas-Smith |
last post by:
Can anyone provide any suggestions/URLs for best-practice approaches to
preventing SQL injection? There seems to be little on the web that I can
find on this.
Martin Lucas-Smith www.geog.cam.ac.uk/~mvl22
www.lucas-smith.co.uk
Senior Computing Technician (Web Technician)
Department of Geography, University of Cambridge (01223 3)33390
|
by: Daniel Orner |
last post by:
Does anyone know of a simple way to have a Python script find out what
browser is accessing it? After a web search the only thing I found to
do this is Zope, but the system I'm programming doesn't use Zope and
I'm not really interested in installing it just for this minor detail.
Is there another way?
Thanks!
--Daniel Orner
|
by: Dave Matthews |
last post by:
Hi folks,
I'm writing a web-page editing tool for my company which will allow
staff (with no "technical" expertise) to maintain their own Intranet sites.
The content for each webpage is stored in the form of XHTML in an XML
document (which, in turn, is stored in an XML database). So far so good.
However the editing tool must allow users to paste in the contents of MS
Word documents. I soon discovered that Word does not generate...
|
by: JerryK |
last post by:
Hi,
We have a complex application that is experiencing a "memory leak". This is
not a traditional memory, since the application gives all the memory back at
terminate. Rather what we see i that the application continues to grow at
about 2 mbytes each time the same MDI form is open and closed. Eventually,
the OS starts trashing and displays the "your system is low on virtual
memory" message. Now I know the Garbage Collector is supposed...
|
by: www.douglassdavis.com |
last post by:
I have an idea for preventing sql injection attacks, however it would
have to be implemented by the database vendor. Let me know if I am on
the right track, this totally off base, or already implemented
somewhere...
Lets say you could have a format string such as in printf
$format=" SELECT %s FROM %s WHERE id='%s' ";
$fieldname="last_name";
$tablename="personel";
| | |
by: Graeme Hinchliffe |
last post by:
Hiya
I have now managed to get my code to function correctly for a none
present db, and one that is shutdown whilst it is being used. In both
cases my code functions and happily recovers on the db's return.
However one of the tests I performed was to kill -9 the postmaster
process to see how it would handle that (assuming the same behaviour).
However nothing happens! no segfault, no db connection failure etc.
Also what is weird is...
|
by: David Bear |
last post by:
I have a dictionary that contains a row of data intended for a data base.
The dictionary keys are the field names. The values are the values to be
inserted.
I am looking for a good pythonic way of expressing this, but I have a
problem with the way lists are represented when converted to strings.
Lets say my dictionary is
|
by: bregent |
last post by:
I've seen plenty of articles and utilities for preventing form injections for
ASP.NET, but not too much for classic ASP. Are there any good input validation
scripts that you use to avoid form injection attacks? I'm looking for good
routines I can reuse on all of my form processing pages. Thanks.
|
by: Kevin Audleman |
last post by:
My site has come under attack from sql injections. I thought I had
things handled by replacing all single quotes with two single quotes,
aka
Replace(inputString, "'", "''")
Alas, clever hackers have still managed to find a way to drop columns
from some of my tables. Can anybody direct me towards a best practice
document on preventing these attacks?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
