Slow down the keystroke rate to accept a password


  #1  
Old 06-09-16, 06:21 AM
B
Member
Thread Starter
Join Date: Oct 2008
Location: New England
Posts: 9,460
Received 47 Upvotes on 43 Posts
Slow down the keystroke rate to accept a password

While I'm here, I was watching a tech show discussing how fast they can hack a password by trying a gazillion combinations per second. So, why haven't the password ports simply slowed down the rate at which they will accept each entry? If they required a 1 second pause between numbers, or whatever, users would be barely slowed down. But the gazillion tries from a hacker would take years, thus making it impossible. Even a tenth of a second would defeat their hack.

Seems like the computer world just isn't trying to stop hacking.

Bud
 
  #2  
Old 06-09-16, 07:01 AM
Z
Member
Join Date: Jan 2008
Location: Southeastern Pennsylvania
Posts: 3,386
Received 124 Upvotes on 115 Posts
Bud -

I think in cases where they steal password files from the server they run their hacking software on a separate machine and thus they are not bothered by any constraints.

But I think I know what you are talking about, cases where they just keep trying to enter into the system directly. I’ve seen this explanation many times, so I guess it is being copied and originated from a single source somewhere. Hope they’re right, LOL. But it seems to make sense:

Although adding a delay could slow a single-threaded attack, it is less effective if the attacker sends multiple simultaneous authentication requests.
But it still sounds like it is of some help.
 
  #3  
Old 06-09-16, 07:46 AM
D
Banned. Rule And/Or Policy Violation
Join Date: May 2016
Location: USA
Posts: 526
Upvotes: 0
Received 0 Upvotes on 0 Posts
I think in cases where they steal password files from the server they run their hacking software on a separate machine and thus they are not bothered by any constraints
That is correct. For cases where it's a direct attempt against the server, implement a 5 failed login lockout.
 
  #4  
Old 06-09-16, 09:24 AM
Z
Forum Topic Moderator
Join Date: Sep 2005
Location: USA
Posts: 6,095
Received 422 Upvotes on 375 Posts
It's more complex than that. Most sites and tools will limit your password tries. After 5 or so entries, they will either lock your account for a specified amount of time, or start slowing down the password entry. If you notice, some systems will take longer and longer to attempt a login after each attempt.

Where much of the issue comes from is hackers stealing a password database and using tools to crack the list. Once a list is cracked, they try the same password on other systems. That's why it's so important to use different passwords on different systems.

You may create a password for a 'club card' for a local grocery store using your bud@gmail.com email address. Their security may be lax since there's no personal information. But if your really secure password is stolen, they can try logging into facebook using the same email and password... or gmail, or your bank, etc. Even though your bank may use super duper security measures, it doesn't help this case where they already have your often-used password.

(This is oversimplified... there are hundreds of books written on the subject, and more every day)
 
  #5  
Old 06-11-16, 11:21 PM
WRDIY's Avatar
Member
Join Date: Jul 2012
Posts: 1,081
Received 41 Upvotes on 39 Posts
Originally Posted by Mr. Bud
Seems like the computer world just isn't trying to stop hacking.
If you think this is true, the cell phone is even more scary. I saw a dateline episode where they can view your cell camera without you even knowing it. I no longer leave my cell phone on my office desk but I leave it in a case.

As for the password hacking, they can use many different technics, depending whether you are talking about internet sites or applications. It is a topic that can be discussed days and nights on the security, both the physical and digital forms.

There are a few new encryption software allows you to define the seconds in between wrong passwords. Today's PC can brute force right though a dictionary. However, if they have a keylogger installed on your computer, it doesn't matter once they capture your passwords.

I don't even bother worrying over internet website passwords. Because if they crack into those servers (such as HomeDepot, Target, LinkedIn, etc...) they pretty much have your passwords along with millions of others. It is out of our control.
 
  #6  
Old 08-05-16, 09:53 PM
Spikester's Avatar
Member
Join Date: Jun 2011
Location: USA
Posts: 167
Upvotes: 0
Received 0 Upvotes on 0 Posts
Bud9051, it depends on how they are cracking the password. If they are hitting a live website (very infrequent case) they usually have the password form stolen credentials, or they are limited by the sites programming. This may be after 10 failed attempts IP is blocked for x hours, but this doesn't stop a botnet (thousands or millions of IP addresses) from hitting the site and trying different combinations (example would be a common attack on WordPress sites). Or the site may have safeguards that increase the time limit for submissions for each failed attempt (e.g. 1 fail 5 seconds, 2 fails 30 seconds, 3 fails, one minute, etc etc).

However, this is not typically the scenario, usually it is on an offline database which is limited by the hashing algorithm. In the instance of MD5 (a very common hash algorithm) any average gaming PC could hit each variation at 500 million guesses per second. For a system that is built for cracking passwords or mining bitcoin, this could be several trillion (haven't done the math in a while). However, for something like bcrypt this number is significantly lower as it requires much more computational power to achieve the hash.

Originally Posted by zoesdad
I think in cases where they steal password files from the server they run their hacking software on a separate machine and thus they are not bothered by any constraints.
Exactly, this is where the hashing algorithm (or lack of) comes into place.

Originally Posted by donoli2016
That is correct. For cases where it's a direct attempt against the server, implement a 5 failed login lockout.
Absolutely, for the site side, 5 is a good number and a lockout should always be put in place. Even if you have users that massively fail at entering passwords, 10 is much better than 10 billion.

Originally Posted by Zorfdt
It's more complex than that. Most sites and tools will limit your password tries. After 5 or so entries, they will either lock your account for a specified amount of time, or start slowing down the password entry. If you notice, some systems will take longer and longer to attempt a login after each attempt.
Yep, but unfortunately with most systems, this must be a conscious decision, and too often it is overlooked, or disregarded entirely due to inconvenience or influx of user complaints.

Originally Posted by Zorfdt
Where much of the issue comes from is hackers stealing a password database and using tools to crack the list. Once a list is cracked, they try the same password on other systems. That's why it's so important to use different passwords on different systems.
Excellent spot for a plug for password managers. I recommend KeePass or LastPass depending on your usage.

Even worse for these lists is, if they did not use a unique salt (an additional bit of text to hash with the password) then there are already terabytes of pre-compiled hashes that they don't even need to do a single guess against. They simply load the library of hashes, then run a find with the pre-compiled hashes against the hashes in the database dump. If they find one that matches, then they simply look at the originating value and boom, there is the password without a single guess.

Originally Posted by Zorfdt
You may create a password for a 'club card' for a local grocery store using your bud@gmail.com email address. Their security may be lax since there's no personal information. But if your really secure password is stolen, they can try logging into facebook using the same email and password... or gmail, or your bank, etc. Even though your bank may use super duper security measures, it doesn't help this case where they already have your often-used password.
XKCD does an excellent job of explaining this:
xkcd: Password Reuse


Originally Posted by WRDIY
There are a few new encryption software allows you to define the seconds in between wrong passwords. Today's PC can brute force right though a dictionary. However, if they have a keylogger installed on your computer, it doesn't matter once they capture your passwords.
Even worse, there are now vulnerabilities in wireless keyboards, so a keylogger isn't even necessary in some cases.

Originally Posted by WRDIY
I don't even bother worrying over internet website passwords. Because if they crack into those servers (such as HomeDepot, Target, LinkedIn, etc...) they pretty much have your passwords along with millions of others. It is out of our control.
This is a terrible mindset. More and more of our world is being hosted by web services, and this is where password reuse is such an issue. While these sites may have breaches, you don't want to have your LinkedIn password the same as your email or your bank password. Otherwise, your LinkedIn account is breached, they use that password to access your email (which they got from LinkedIn) and see which place you bank with, and what online shopping sites you use. Then they go to your bank, steal your money, etc. Each account must be treated with a secure mindset, even one as simple as this site, it should not share a password with any other website. As I mentioned earlier, services such as LastPass, 1Password, and Dashlane, as well as offline systems such as KeePass are excellent ways of managing your passwords.

Hope this helps.

~Spike
 
 

Thread Tools
Search this Thread
 
Ask a Question
Question Title:
Description:
Your question will be posted in: