Re: Detecting/Preventing Dictionary Attacks

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Joe Fallon (jfallon1_at_nospamtwcny.rr.com)
Date: 12/03/04 

Date: Thu, 2 Dec 2004 20:11:22 -0500

Locked accounts are typically a "bad" idea.

I implemented a CAPTCHA control instead.
Keep track of failed logins and when it exceeds your number (say 2 or 3)
then you display a CAPTCHA control with a random number or phrase on it that
a human can read but a program can't.

I also put the thread to sleep as a multiple of the number of failed log-ins
so if they keep getting it wrong it takes longer and longer to log in.

I think you can find sample CAPTCHA code using Google. 

-- 
Joe Fallon
"Jim Slade" <Jimbo@SladeIntl.com> wrote in message 
news:%23Z1c7vM2EHA.3132@TK2MSFTNGP14.phx.gbl...
> I've been doing some research on security and it seems like 
> hashing/salting
> passwords is a good idea - but still not really all that secure against
> dictionary attacks (the salt just makes the hacker run their dictionary
> against every single account - not much of a challenge for a competent
> hacker)
>
> Just wondering what value would be added by adding some column to the
> database to record failed login attempts. The idea would be that the 
> column
> holds an integer value that gets incremented on every failed login 
> attempt.
> Then when it reaches some arbitrary value (say 10 failed attempts), that
> particular account gets "locked" out (i.e., the validation logic would not
> even try to validate the user after 10 failed attempts) and the user is
> informed that they need to jump through some hoops in order to unlock the
> account (call tech support or whatever). Also, this counter for failed 
> login
> attempts would get reset to zero on every successful login attempt.
>
> Is doing something like this a good idea? Bad idea?
>
>

Relevant Pages

  • Re: NT Message
    ... What is your domain account policy? ... you should see three failed login attempts ... Make a great connection at Yahoo! ...
    (Focus-Microsoft)
  • [HPADM] disabling user accounts
    ... I have a request (by auditors) to disable an account after a specified ... number of failed login attempts. ...
    (HP-UX-Admin)
  • Detecting/Preventing Dictionary Attacks
    ... passwords is a good idea - but still not really all that secure against ... dictionary attacks (the salt just makes the hacker run their dictionary ... holds an integer value that gets incremented on every failed login attempt. ... particular account gets "locked" out (i.e., ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Update IIS remotely in Asp.net app
    ... You did notice that on machine CLT-DEV1 the ... failed login is for account DVDANSB2K\ASPNET ... > app is running under an administrator account by ... > Event Category: Account Logon ...
    (microsoft.public.inetserver.iis.security)