defense against password cracking programs

Hi,

I have a question about ways to defend against password cracking
programs.
Basically, I'm wondering if there is a way to disable log-ins to a
particular account for some defined period of time (for example, 30
minutes) after this account is barraged with lots of failed log-in
attempts (say, 30 failures within 10 minutes).

It seems like most cracking programs are based on brute force of
"trying out" as many passwords as possible as quickly as possible. If
this process is slowed down, password cracking would be more
difficult.

Does anything like this exist?

Thanks,
Gayle

gaylew@gmail.com (gayle) writes:

]Hi,

]I have a question about ways to defend against password cracking
]programs.
]Basically, I'm wondering if there is a way to disable log-ins to a
]particular account for some defined period of time (for example, 30
]minutes) after this account is barraged with lots of failed log-in
]attempts (say, 30 failures within 10 minutes).

The problem with this is that it allows a denial of service attack. The
attacker just barrages with failed attempts, and then suddenly the real
user cannot log in. 30 min later he does it again (or rather automates it).


]It seems like most cracking programs are based on brute force of
]"trying out" as many passwords as possible as quickly as possible. If
]this process is slowed down, password cracking would be more
]difficult.

It is almost never done "live" ie on a running system since the attempts
are way way too slow. it is far more efficient to get the password database
and then try against the hashed passwords in there. ( 10^6 attempts /sec vs
1/sec.)



]Does anything like this exist?

It is a bad idea. What is sometimes done is that the response is slowed
down (eg to 5 sec between attempts) but much more than that allows DOS.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On onsdag 22. september 2004, 00:13 Bill Unruh tried to express an opinion:

> gaylew@gmail.com (gayle) writes:

> ]Basically, I'm wondering if there is a way to disable log-ins to a
> ]particular account for some defined period of time (for example, 30
> ]minutes) after this account is barraged with lots of failed log-in
> ]attempts (say, 30 failures within 10 minutes).
>
> The problem with this is that it allows a denial of service attack. The
> attacker just barrages with failed attempts, and then suddenly the real
> user cannot log in. 30 min later he does it again (or rather automates it).

How bout something that blocks the IP of the attacker for a period?
(for all services.) Then the real user could still log in.

- --
Solbu - http://www.solbu.net
Remove 'ugyldig' for email
PGP key ID: 0xFA687324
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBUK8nT1rWTfpocyQRAvjgAJ9xr+1a8nSho/PpWCNUm0W6aXuEYACgzz0a
f1e1/mNtmXTDM9xeKNel+ng=
=Fcnm
-----END PGP SIGNATURE-----

gaylew@gmail.com (gayle) wrote in
news:278a9610.0409211331.24cbc97d@posting.google.c om:

> Does anything like this exist?
>

Its fairly standard actually. Usually a system settings file which will
lock an account after 3 failed attempts in a row

Gandalf Parker
-- My mom always told me that if you open it, then you shut it. And if you
arent going to pay attention to it, then dont leave it running. Never talk
to strangers. And never accept gifts from people you dont know.
She made me the security expert that I am today.

> How bout something that blocks the IP of the attacker for a period? (for
> all services.) Then the real user could still log in.

Something like portsentry for accounts (instead of ports). I am looking
for this too.

In article <278a9610.0409211331.24cbc97d@posting.google.com >, gayle wrote:
> Basically, I'm wondering if there is a way to disable log-ins to a
> particular account for some defined period of time...

What kind of account? If you mean a user account on the system,
wiht a little coding you might be able to hack something up using PAM
and this module:

http://www.spellweaver.org/devel/

If the application has its own authentication (like maybe a webmail
account) then the above might work if the app uses PAM.

--
Sincerely,

Ray Ingles (313) 227-2317

"Any technology distinguishable from magic is insufficiently
advanced." - Anonymous' restatement of Clarke

Gandalf Parker wrote:

[Snip]

> -- My mom always told me that if you open it, then you shut it. And if you
> arent going to pay attention to it, then dont leave it running. Never talk
> to strangers. And never accept gifts from people you dont know.
> She made me the security expert that I am today.

Nice Sig ... :)

Regards
Abhinav

Abhinav <matrix_calling@yahoo.dot.com> wrote in
news:yDe4d.33$jL6.120@news.oracle.com:

> Gandalf Parker wrote:
>
> [Snip]
>
>> My mom always told me that if you open it, then you shut it. And
>> if you arent going to pay attention to it, then dont leave it
>> running. Never talk to strangers. And never accept gifts from people
>> you dont know. She made me the security expert that I am today.
>
> Nice Sig ... :)
>
> Regards
> Abhinav

Thanks. In all my years on internet I am so often amazed at the "hot new
subjects" full of "what will we do about this new problem". They are so
determined to make Virtual Reality into a new territory with new problems
where the answers must be new answers thought up from scratch. If someone
is stumped for an answer, try dumping the virtual for a reality version.
Its not an answer but its usually a real good starting point with alot of
really good thought already put into it. Cliches are even better. :)
What can I say? Im old.

Gandalf Parker
-- Having locks on the gate doesnt mean you dont need a watchdog in the
yard.

On 2004-09-21, Solbu wrote:
>
> On onsdag 22. september 2004, 00:13 Bill Unruh tried to express an opinion:
>
>> gaylew@gmail.com (gayle) writes:
>
>> ]Basically, I'm wondering if there is a way to disable log-ins to a
>> ]particular account for some defined period of time (for example, 30
>> ]minutes) after this account is barraged with lots of failed log-in
>> ]attempts (say, 30 failures within 10 minutes).
>>
>> The problem with this is that it allows a denial of service attack. The
>> attacker just barrages with failed attempts, and then suddenly the real
>> user cannot log in. 30 min later he does it again (or rather automates it).
>
> How bout something that blocks the IP of the attacker for a period?
> (for all services.) Then the real user could still log in.

It's probably better idea. You can try running script fetching
information from syslog and dynamically blocking IP.

--
Stanislaw Klekot