Is brute force a probable threat even if you enable CAPTCHA and rate limit logins?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system.
Is brute force still a probable threat?
authentication brute-force captcha
add a comment |Â
up vote
1
down vote
favorite
Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system.
Is brute force still a probable threat?
authentication brute-force captcha
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system.
Is brute force still a probable threat?
authentication brute-force captcha
Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system.
Is brute force still a probable threat?
authentication brute-force captcha
authentication brute-force captcha
edited 4 hours ago
Anders
45.7k21127153
45.7k21127153
asked 4 hours ago
Sayan
1,246416
1,246416
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
2
down vote
Maybe.
it depends on how you define "brute force".
A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.
There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.
User: Jim
PW: password, password123, letmein, secret
User: Bob
PW: password, password123, letmein, secret
User: Alice
PW: password, password123, letmein, secret
This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.
I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.
add a comment |Â
up vote
1
down vote
The protections you describe are good ones that you should consider, but there can still be weaknesses:
- Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).
- Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.
Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
Maybe.
it depends on how you define "brute force".
A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.
There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.
User: Jim
PW: password, password123, letmein, secret
User: Bob
PW: password, password123, letmein, secret
User: Alice
PW: password, password123, letmein, secret
This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.
I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.
add a comment |Â
up vote
2
down vote
Maybe.
it depends on how you define "brute force".
A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.
There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.
User: Jim
PW: password, password123, letmein, secret
User: Bob
PW: password, password123, letmein, secret
User: Alice
PW: password, password123, letmein, secret
This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.
I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.
add a comment |Â
up vote
2
down vote
up vote
2
down vote
Maybe.
it depends on how you define "brute force".
A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.
There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.
User: Jim
PW: password, password123, letmein, secret
User: Bob
PW: password, password123, letmein, secret
User: Alice
PW: password, password123, letmein, secret
This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.
I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.
Maybe.
it depends on how you define "brute force".
A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.
There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.
User: Jim
PW: password, password123, letmein, secret
User: Bob
PW: password, password123, letmein, secret
User: Alice
PW: password, password123, letmein, secret
This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.
I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.
edited 3 mins ago
Anders
45.7k21127153
45.7k21127153
answered 3 hours ago
Daisetsu
1,643412
1,643412
add a comment |Â
add a comment |Â
up vote
1
down vote
The protections you describe are good ones that you should consider, but there can still be weaknesses:
- Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).
- Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.
Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.
add a comment |Â
up vote
1
down vote
The protections you describe are good ones that you should consider, but there can still be weaknesses:
- Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).
- Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.
Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.
add a comment |Â
up vote
1
down vote
up vote
1
down vote
The protections you describe are good ones that you should consider, but there can still be weaknesses:
- Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).
- Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.
Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.
The protections you describe are good ones that you should consider, but there can still be weaknesses:
- Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).
- Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.
Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.
answered 4 hours ago
Anders
45.7k21127153
45.7k21127153
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195252%2fis-brute-force-a-probable-threat-even-if-you-enable-captcha-and-rate-limit-login%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password