September 15, 2011 at 7:26 am
Revenant (9/14/2011)
Nadrek (9/14/2011)
Revenant (9/14/2011)
Nadrek (9/14/2011)
. . . Single hashed SHA1 passwords can be cracked at a rate in excess of 13 billion tries per second per machine with GPU's... . . ....unless someone is counting and times out the attacking IP address after say three consecutive failed attempts.
I was speaking of an offline attack, after an insider took the MDF, or the backup file, or used a vulnerability (SQL Injection, a trojan, a botnet, etc.; see Gawker and Sony recently) to obtain a bulk copy of the userids and hopefully hashed passwords, and then attack the hashed passwords.
That type of defese is IMO the proverbial closing the gate after the horse is gone.
Online attacks are different, but are also often conducted by botnets, so any one attacking IP only hits one username once. Note that timing out an IP after three consecutive failed attempts can really irk the clients/customers of a public web site if one company/ISP/etc has 20,000 people behind a single external IP address. Timeouts like that are almost always implemented per user account or per user account+IP, etc.
Absolutely - we do ID+IP.
I would have to disagree; it's not closing the gate after the horse is gone (that would be fixing your vulnerability/firing the insider who already stole the data/etc.), it's implementing a layered security policy, so that no one (or, in advanced cases, few) failure(s) become a catastrophic event; there's another layer of mitigation in place; and if you're going to have a layer of mitigation, it should be an effective mitigation.
And for online attacks, ID+IP prevents a single IP from hitting each ID with more than N password attempts, but a small botnet of 10,000 IP's can try 10,000N passwords on each ID, even assuming that its members can't change IP's or spoof other IP's.
Viewing post 16 (of 16 total)
You must be logged in to reply to this topic. Login to reply