> Uhmmm.. how effective is a brute force attack where you can 
> only try one 
> combination per second? It's going to take you a while to get through 
> that dictionary.

How determined are you ;-)

Our product has a brute force attacker in it, and for some protocols, we
have to wait a few seconds between each attempt b/c otherwise the protocol
blocks you as it considers it a DoS.

But the results can finish in several days or even weeks.

> You can still do this on top of the sleep() method. A one 
> second wait is 
> n't going to affect you when you log in to an application.

Sure. If you really want to sleep(1); then go nuts. I was only trying to
point out that the sleep(1) is not a really viable way to prevent crackers
from doing anything really. Just slow them down.

> The problem with reacting after three failed logins is that 
> it can then 
> be easy to lock other people out of their account. You just have to 
> figure out their username, which usually isn't that hard. Since IP 
> addresses can be spoofed or shared among users of certain 
> ISPs, relying  on them isn't adequate, either.

Well, you'd only get 3 attempts to guess a username from a given IP. 
It takes a lot more work to spoof an IP, and coordinate an attack with
several computers.

And most crackers aren't trying to lock people out of their account, they're
trying to gain access themselves. If I wanted to bring down a server, I'd
just DoS it, not waste time locking individual users out one at a time.

Daevid Vincent
Senior Engineer / Architect

 _               _       _                     
| |    ___   ___| | ____| | _____      ___ __  
| |   / _ \ / __| |/ / _` |/ _ \ \ /\ / / '_ \ 
| |__| (_) | (__|   < (_| | (_) \ V  V /| | | |
|_____\___/ \___|_|\_\__,_|\___/ \_/\_/ |_| |_|
x104                                   Networks.com

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to