brute-force | 易学教程

What is the best method to prevent a brute force attack?

阅读更多关于 What is the best method to prevent a brute force attack?

I have my login page and of course I want to prevent brute force attacks and cause less delay for the users when they are logging in. Currently, you type in your username and password to log in. I am considering implementing a reCAPTCHA . However, this shows on login after 3 failed attempts. My question is: What do you base the attempt on. IP addresses? It can always be hidden... username? What if they're trying a user that doesn't exist? What would be the best method to count the failed login attempts? Sessions are unreliable because they rely on cookies, CAPTCHAs are regularly broken

Limiting user login attempts in PHP

阅读更多关于 Limiting user login attempts in PHP

I've seen web apps with limitations for user login attempts. Is it a security necessity and, if so, why? For example: you had three failed login attempts, let's try again in 10 minutes!! Clarification This is a completion to the other answers. Using a good implemented captcha alongside an anti-bruteforce mechanism using sessions for example. The questioner marked this as accepted assuming that captchas are unreadable by machines (she's almost right) and so it's getting negative points, because people think it's not a complete answer & they're right. Also using a good implemented CAPTCHA could

Python Brute Force algorithm [closed]

阅读更多关于 Python Brute Force algorithm [closed]

问题 Closed . This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 9 months ago . I need to generate every possible combination from a given charset to a given range. Like, charset=list(map(str,"abcdefghijklmnopqrstuvwxyz")) range=10 And the out put should be, [a,b,c,d..................,zzzzzzzzzy,zzzzzzzzzz] I know I can do this using already in use libraries

How long to brute force a salted SHA-512 hash? (salt provided)

阅读更多关于 How long to brute force a salted SHA-512 hash? (salt provided)

Here is an algorithm in Java: public String getHash(String password, String salt) throws Exception { String input = password + salt; MessageDigest md = MessageDigest.getInstance(SHA-512); byte[] out = md.digest(input.getBytes()); return HexEncoder.toHex(out); } Assume the salt is known. I want to know the time to brute force for when the password is a dictionary word and also when it is not a dictionary word. emboss In your case, breaking the hash algorithm is equivalent to finding a collision in the hash algorithm. That means you don't need to find the password itself (which would be a

Preventing Brute Force Logins on Websites

阅读更多关于 Preventing Brute Force Logins on Websites

As a response to the recent Twitter hijackings and Jeff's post on Dictionary Attacks , what is the best way to secure your website against brute force login attacks? Jeff's post suggests putting in an increasing delay for each attempted login, and a suggestion in the comments is to add a captcha after the 2nd failed attempt. Both these seem like good ideas, but how do you know what "attempt number" it is? You can't rely on a session ID (because an attacker could change it each time) or an IP address (better, but vulnerable to botnets). Simply logging it against the username could, using the

What is the best Distributed Brute Force countermeasure?

阅读更多关于 What is the best Distributed Brute Force countermeasure?

问题 First, a little background: It is no secret that I am implementing an auth+auth system for CodeIgniter, and so far I\'m winning (so to speak). But I\'ve run into a pretty non-trivial challenge (one that most auth libraries miss entirely, but I insist on handling it properly): how to deal intelligently with large-scale, distributed, variable-username brute-force attacks . I know all the usual tricks: Limiting # of failed attempts per IP/host and denying the offenders access (e.g. Fail2Ban) -

Forgot Keystore password, thinking of Brute-Force detection. will it corrupt the keystore?

阅读更多关于 Forgot Keystore password, thinking of Brute-Force detection. will it corrupt the keystore?

问题 I recently realized that I have lost the password to my keystore (or perhaps the keystore got corrupted somehow) It keeps giving me the error: Keystore tampered or password incorrect I created an (quite unoptimized) algorithm to Brute-Force the password by letting it run all the night. However, I am not sure how many unsuccessful password attempts will lock the keystore down. Does anyone know anything like this? UPDATE The algorithm I devised works okay (I am using Java), but I realized that

The necessity of hiding the salt for a hash

阅读更多关于 The necessity of hiding the salt for a hash

问题 At work we have two competing theories for salts. The products I work on use something like a user name or phone number to salt the hash. Essentially something that is different for each user but is readily available to us. The other product randomly generates a salt for each user and changes each time the user changes the password. The salt is then encrypted in the database. My question is if the second approach is really necessary? I can understand from a purely theoretical perspective that

The necessity of hiding the salt for a hash

阅读更多关于 The necessity of hiding the salt for a hash

At work we have two competing theories for salts. The products I work on use something like a user name or phone number to salt the hash. Essentially something that is different for each user but is readily available to us. The other product randomly generates a salt for each user and changes each time the user changes the password. The salt is then encrypted in the database. My question is if the second approach is really necessary? I can understand from a purely theoretical perspective that it is more secure than the first approach, but what about from a practicality point of view. Right now