Hi :-) On 16/Feb/11 00:32, Michelle Konzack wrote: > Am 2011-02-15 11:57:34, hacktest Du folgendes herunter: >> Neither of them would resist against distributed attacks, though. > > Why? If you get three failure per IP in a certain time it is blocked...
Thus an 87382-node botnet can break an average password with 18 bits of entropy* by the end of the day, with three attempts from each IP. >> For example, we could block logins, from any IP address, for >> users affected by more than N failed logins since the last >> password change. > > You mean you want to count and store the failures over years? Yes, for each user. > I have not changed my password since more then 10 years because it is > too complex to become hacked :-D but I have mistyped my password many > times because it is very long... If peoples sitting byside me, they > where never able to memorize it... Hahaha! Many times? If "many" is 35 times per day for 20 years, that makes for about 255675 attempts: barely enough to break that 18-bit entropy password, let alone a strong one. OTOH, a million-node botnet could easily afford a few thousands attempts per day, from different IP addresses, without being noticed. It would crack most passwords in a few months. IMHO, counting the global number of failures can counter that. A smart system could even estimate the entropy of a cleartext password and compute N above as a safe fraction of the required number of attempts, in order to avoid being unduly intrusive. -- [*] Entropy estimate: http://en.wikipedia.org/wiki/Password_strength ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
