Date: Sun, 30 Dec 2001 11:44:28 -0500 To: [EMAIL PROTECTED] From: Geoffrey Turk <[EMAIL PROTECTED]> Subject: [dgc.chat] Dealing with Passphrase Cracking Bots and Motives for Initiating Them Cc: [EMAIL PROTECTED] : :
What can a DGC provider do when a cracker (i.e., a malicious hacker) has initiated a script to check a range of user accounts to see if any of them have used a "simple" passphrase to protect their gold holding? Two common solutions that can be used are: 1) Turing test (see <https://www.goldmoney.com/user/ulogin/UAGREEMENT.asp> for an example; scroll to the bottom and click Accept; you will then see the Registration Number Turing test) - This method is fool-proof (at least until computers can recognise randomly generated graphical characters!), but adds an extra step for the user each time he logs in. Also, how will a blind person access his gold holding? 2) Blocking offending IP addresses - not effective as a cracker could spoof the originating IP address; side effect is that legitimate users may be denied access (if they happen to use the same ISP that the cracker utilised or spoofed). Another option would be for the DGC to perform a complexity check when a user account is first created and each time the account passphrase is changed by the user. The passphrase should be relatively complex ("dl39sk10" is complex, "smart1", "password", "qwerty" and "rover" are not complex and could conceivably be guessed), and if a cracker knows that passphrase complexity is required for all user accounts at a DGC, the effort of scanning accounts for weak passphrases becomes pointless. What has not been considered in the recent discussions about the passphrase cracking bot that has been launched against e-gold is that perhaps the cracker is not attempting a check for dictionary words or obvious passphrases like "Password1", but instead using a list of known passphrases used at other DGC-related websites. Imagine something like GoldenPonzi.com where users sign up and create a user name and passphrase. GoldenPonzi pays out for a few months and then collapses, but now the operators of GoldenPonzi.com have a nice database of passphrases that they can try to match to DGC accounts in order to empty their gold holdings. Always choose a complex and UNIQUE passphrase if you are using the passphrase to protect anything of value. Also, remember that using a passphrase for account protection means you are relying only on "something you know". Using public key cryptography (digital certificates), you add in an extra security measure: "something you have". By adding a digital certificate to the login procedure for your DGC account, your gold holding is protected against all passphrase attacks, because the cracker does not have your digital certificate, which is stored securely in your web browser. A side benefit of the digital certificate is that it protects you against denial of service attacks in which a cracker continuously tries to access your account and locks you out when the maximum number of attempts has been made (generally 3 attempts are allowed every 15 minutes). GoldMoney has enabled the use of digital certificates from day one. For more information about using a digital certificate to protect a GoldMoney Holding account, see: http://chat.goldmoney.com/discuss/messages/29.html Regards, Geoff --- You are currently subscribed to e-gold-list as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] http://www.e-gold.com/stats.html lets you observe the e-gold system's activity now!
