Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: Password hacker killer

by allolex (Curate)
on Sep 07, 2003 at 14:24 UTC ( #289572=note: print w/ replies, xml ) Need Help??


in reply to Password hacker killer

Use user-level authentication and limit the number of retries per user to something like four and then put a wait period between unsuccessful login series. So if someone makes four unsuccessful login attempts in a row, block the user account so that that user cannot log in for the next hour, no matter the password, or until you reset the account.

Also make sure your passwords are good in the first place. No dictionary words, no names (there are dictionaries for those, too). You could maybe use something like Data::Password, although I cannot personally vouch for it.

Good luck keeping them out.

--
Allolex


Comment on Re: Password hacker killer
Re: Re: Password hacker killer
by Corion (Pope) on Sep 07, 2003 at 14:27 UTC

    This method leads the way for an effective DOS - if I want to prevent you from logging in, I just write a script that repeatedly tries to log in as you, with a wrong password. You won't be able to ever get at your account again.

    You need to block at least only a certain IP address, then only AOL users can block AOL users ...

    perl -MHTTP::Daemon -MHTTP::Response -MLWP::Simple -e ' ; # The $d = new HTTP::Daemon and fork and getprint $d->url and exit;#spider ($c = $d->accept())->get_request(); $c->send_response( new #in the HTTP::Response(200,$_,$_,qq(Just another Perl hacker\n))); ' # web

      Yes, thanks for pointing that out. It would therefore be logical to block the IP instead of the user for the same time period, or better yet block the combination of user/IP.

      --
      Allolex

        this does not work, most of the automated cracking tools will use huge proxy lists to change the source IP of the attack after X attempts. You chase your own tail by limiting the user/ip block.

        -Waswas

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://289572]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (15)
As of 2014-08-27 15:43 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (242 votes), past polls