473,396 Members | 1,853 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > detecting/preventing dictionary attacks

Join Bytes to post your question to a community of 473,396 software developers and data experts.

Detecting/Preventing Dictionary Attacks

I've been doing some research on security and it seems like hashing/salting
passwords is a good idea - but still not really all that secure against
dictionary attacks (the salt just makes the hacker run their dictionary
against every single account - not much of a challenge for a competent
hacker)

Just wondering what value would be added by adding some column to the
database to record failed login attempts. The idea would be that the column
holds an integer value that gets incremented on every failed login attempt.
Then when it reaches some arbitrary value (say 10 failed attempts), that
particular account gets "locked" out (i.e., the validation logic would not
even try to validate the user after 10 failed attempts) and the user is
informed that they need to jump through some hoops in order to unlock the
account (call tech support or whatever). Also, this counter for failed login
attempts would get reset to zero on every successful login attempt.

Is doing something like this a good idea? Bad idea?
Nov 19 '05 #1
5 1348
Locked accounts are typically a "bad" idea.

I implemented a CAPTCHA control instead.
Keep track of failed logins and when it exceeds your number (say 2 or 3)
then you display a CAPTCHA control with a random number or phrase on it that
a human can read but a program can't.

I also put the thread to sleep as a multiple of the number of failed log-ins
so if they keep getting it wrong it takes longer and longer to log in.

I think you can find sample CAPTCHA code using Google.
--
Joe Fallon

"Jim Slade" <Ji***@SladeIntl.com> wrote in message
news:%2****************@TK2MSFTNGP14.phx.gbl...
I've been doing some research on security and it seems like
hashing/salting
passwords is a good idea - but still not really all that secure against
dictionary attacks (the salt just makes the hacker run their dictionary
against every single account - not much of a challenge for a competent
hacker)

Just wondering what value would be added by adding some column to the
database to record failed login attempts. The idea would be that the
column
holds an integer value that gets incremented on every failed login
attempt.
Then when it reaches some arbitrary value (say 10 failed attempts), that
particular account gets "locked" out (i.e., the validation logic would not
even try to validate the user after 10 failed attempts) and the user is
informed that they need to jump through some hoops in order to unlock the
account (call tech support or whatever). Also, this counter for failed
login
attempts would get reset to zero on every successful login attempt.

Is doing something like this a good idea? Bad idea?

Nov 19 '05 #2
WJ
"Joe Fallon" <jf******@nospamtwcny.rr.com> wrote in message
news:uc****************@TK2MSFTNGP09.phx.gbl...
Locked accounts are typically a "bad" idea.

Why is that ? Then how do you prevent an attacker from attempting his evil
thing ? Sooner you have to shut him out right ?
I implemented a CAPTCHA control instead.


CAPTCHA as you said is mainly used to ensure that it is not robot on the
other side. In fact, there is no one ever said that it is "the...safe tool "
to prevent automation process! Unless you really "obscure" the figure so bad
that even the top OCR device cannot decode it, but then your site would
become useless because of poor readability. Especially for disadvantage
users (I am referring to Accessibility)!

***********
So, what is the solution to Dictionary Attack ? The answer is to enforce
"strong and complex password scheme" religiously and most OSes today support
this ! This is effortless and involves no $$$ nor programming skill !

John
Nov 19 '05 #3
WJ
"Jim Slade" <Ji***@SladeIntl.com> wrote in message
news:OH**************@TK2MSFTNGP15.phx.gbl...
<< I still hesitate because it is not 100% secure solution >>

You must hesitate A LOT!

Yes, especially to Port# 80. I am trying to not be a "happy programming..."
where you just blindly code without hesitation. Example: Bill Gate is a
typical "happy coder" that many of his products have LOTS OF HOLES in them
such as IIS product, it is was attacked from left to right, to a point that
the entire product became unmanagable and had to be re-written from scratch,
and it is still being attacked ! Back to Port 80 (HTTP), I always "hesitate"
because knowing that my system is widely opened. You have no choice but
hesitate to ensure that your end is covered.

John
Nov 19 '05 #4
<< You have no choice but hesitate to ensure that your end is covered>>

How long should one hesitate to ensure that one's end is covered? If one
hesitates for an infinite duration, then is one's end infinitely covered?

Just curious... because I never hesitate. Instead, I click my heels together
three times and say "my end is covered, my end is covered, my end is
covered." But somehow I'm always getting hacked. I don't get it. Perhaps I
should hesitate between heel clicks. But for how long?

"WJ" <Jo*******@HotMail.Com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
"Jim Slade" <Ji***@SladeIntl.com> wrote in message
news:OH**************@TK2MSFTNGP15.phx.gbl...
<< I still hesitate because it is not 100% secure solution >>

You must hesitate A LOT!
Yes, especially to Port# 80. I am trying to not be a "happy

programming..." where you just blindly code without hesitation. Example: Bill Gate is a
typical "happy coder" that many of his products have LOTS OF HOLES in them
such as IIS product, it is was attacked from left to right, to a point that the entire product became unmanagable and had to be re-written from scratch, and it is still being attacked ! Back to Port 80 (HTTP), I always "hesitate" because knowing that my system is widely opened. You have no choice but
hesitate to ensure that your end is covered.

John

Nov 19 '05 #5
WJ
"Jim Slade" <Ji***@SladeIntl.com> wrote in message
news:Ov**************@TK2MSFTNGP12.phx.gbl...

How long should one hesitate to ensure that one's end is covered? If one
hesitates for an infinite duration, then is one's end infinitely covered?

Not too long. See, you and I know that nothing is perfect on earth. We need
to use common sense.. One of them is to patch your products, monitor them,
use best practices suggested by your vendors....and document what you are
doing so you will not be burned 2nd time for the same mistake... too many to
think of...

Lets get back to work!

BTW, always think of an alternative just in case uncle Bill no longer has
fun...

John
Nov 19 '05 #6
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
Preventing SQL injection attacks
by: Martin Lucas-Smith | last post by:
Can anyone provide any suggestions/URLs for best-practice approaches to preventing SQL injection? There seems to be little on the web that I can find on this. Martin Lucas-Smith ...
PHP
4
Detecting Browsers in Python
by: Daniel Orner | last post by:
Does anyone know of a simple way to have a Python script find out what browser is accessing it? After a web search the only thing I found to do this is Zope, but the system I'm programming doesn't...
Python
2
Detecting CDATA sections with XSLT
by: Dave Matthews | last post by:
Hi folks, I'm writing a web-page editing tool for my company which will allow staff (with no "technical" expertise) to maintain their own Intranet sites. The content for each webpage is stored...
.NET Framework
2
Strategy for detecting memory leaks in VB, ADO,net apps
by: JerryK | last post by:
Hi, We have a complex application that is experiencing a "memory leak". This is not a traditional memory, since the application gives all the memory back at terminate. Rather what we see i...
Visual Basic .NET
5
solution for preventing injection attacks
by: www.douglassdavis.com | last post by:
I have an idea for preventing sql injection attacks, however it would have to be implemented by the database vendor. Let me know if I am on the right track, this totally off base, or already...
PHP
3
detecting a dead db not seeming to work
by: Graeme Hinchliffe | last post by:
Hiya I have now managed to get my code to function correctly for a none present db, and one that is shutdown whilst it is being used. In both cases my code functions and happily recovers on the...
PostgreSQL Database
7
insert a dictionary into sql data base
by: David Bear | last post by:
I have a dictionary that contains a row of data intended for a data base. The dictionary keys are the field names. The values are the values to be inserted. I am looking for a good pythonic...
Python
10
Preventing form injection on Classic ASP pages
by: bregent | last post by:
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form...
ASP / Active Server Pages
4
Preventing SQL Injection attacks
by: Kevin Audleman | last post by:
My site has come under attack from sql injections. I thought I had things handled by replacing all single quotes with two single quotes, aka Replace(inputString, "'", "''") Alas, clever...
Microsoft SQL Server
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!