Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can web site lockout protect against hackers


  • Please log in to reply
3 replies to this topic

#1 GoshenBleeping

GoshenBleeping

  • Members
  • 254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:48 PM

Posted 10 May 2013 - 08:55 PM

Yeah I know, this post has a lousy title. Couldn't come up with anything better.

 
Everyone says to use only complex and long passwords because bad guys with powerful computers are able to use brute force to try many random passwords.  The longer the password, the longer it would take a hacker to guess correctly using such a trial-and-error process.  
 
However, many sites only allow a small number of wrong passwords before shutting you out.  How do the bad guys get around the small number of tries allowed by most sites?
 
Thank you.


BC AdBot (Login to Remove)

 


#2 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:08:48 AM

Posted 10 May 2013 - 09:09 PM

However, many sites only allow a small number of wrong passwords before shutting you out.  How do the bad guys get around the small number of tries allowed by most sites?
 
Thank you.

By exploiting vulnerabilities in the web server software and scripting. Have a look at Security Space, http://www.securityspace.com/sspace/index.html for more info.

Edited by Crazy Cat, 10 May 2013 - 09:10 PM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 12 May 2013 - 10:37 AM

How do the bad guys get around the small number of tries allowed by most sites?
 

 

The brute-forcing you are talking about is not done against the site, but against a database of users from the site, stolen from said site by exploiting a vulnerability in the site.

Since this brute-forcing is done locally, there is no limit.


Edited by Didier Stevens, 12 May 2013 - 10:38 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 GoshenBleeping

GoshenBleeping
  • Topic Starter

  • Members
  • 254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:48 PM

Posted 13 May 2013 - 07:33 AM

Thank you all for the information - much appreciated.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users