Your password strength

Forums › Off topic › Your password strength

1 | 2 | 3 | 4 | 5 | 6

1421 posts

Uber Geek
Inactive user

#2222041 22-Apr-2019 10:41

One of the best things a web master can do is have a system that generates passwords for users...not allowing them to use their own passwords. Forces good practice.

However thats not convenient to users and they baulk at it.

The other is looking up user passwords in the cracked dbs online and informing users if they are using a hacked password.

To stop brute force my servers put a 30 min ban on an ip after 3 fails. Then 24 hours after second set of fails within 24 hours. Then hard ban permanently. It doesnt matter if they fail the same user name or different ones. That stops name skipping.

I also check against fails from different ips on same username and run the same ban scheme as above.

Also i put immediate bans for attempts logging on as admin, root and a range of service names like postfix or www or apache.

Hope that helps explain how some admins stop brute forcing.

MadEngineer

4292 posts

Uber Geek

Trusted

#2222043 22-Apr-2019 10:44

So, if i fail someone’s password on your site multiple times from a cgnat network I effectively DOS them?

You're not on Atlantis anymore, Duncan Idaho.

gjm

808 posts

Ultimate Geek

#2222048 22-Apr-2019 10:55

Its 2019 and my ASB bank password is still not case sensitive...

Do surveys for Beer money (referral link) - Octopus Group

Link for buying beer (not affiliated, just like beer) - Good George

MadEngineer

4292 posts

Uber Geek

Trusted

#2222143 22-Apr-2019 12:59

Same for westpac

You're not on Atlantis anymore, Duncan Idaho.

nunz

1421 posts

Uber Geek
Inactive user

#2222476 23-Apr-2019 00:36

MadEngineer: So, if i fail someone’s password on your site multiple times from a cgnat network I effectively DOS them?

They have my phone number if its genuine mess up. We also use harder to guess user names like seh01245 so brute forcing has to guess user names.

Fyi .. invalid user names also count in the ban list so three failed user name guesses is the same deal as 3 bad passwords. It produces much the same log message for fail2ban and other systems to pick up on.

Users would rather have you reset for them than let dipsticks screw with their data.

Where possible we blacklist all ip address and whitelist the clients. We also dont tend to use standard urls like /wp-admin.

Brute forcing a user name is not straight forward.

Hth
Shane

nunz

1421 posts

Uber Geek
Inactive user

#2222477 23-Apr-2019 00:44

MadEngineer: So, if i fail someone’s password on your site multiple times from a cgnat network I effectively DOS them?

Btw using a cgnat .. your port will give you away. I don't check for ports but if in the extremely unlikely event cgnat became an issue I'd look at reverse crawling the port back to source.

Or ask the isp to do the same and ban the end user.

I did it before .. the isp didnt even know the pillock was on their network until i called them up and let them know.

Most people have their own ip...especially with ipv6 growing in use.

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2223228 24-Apr-2019 15:33

Saw this one on Twitter today. Look at those rules - they try to make as easier as possible for brute force, don't they?

The password must be eight characters - no less, no more. It is not case sensitive and the characters are limited to the ones listed...

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

Jase2985

13463 posts

Uber Geek

ID Verified

Lifetime subscriber

#2223256 24-Apr-2019 15:54

oh god that is horrible

i saw this article this morning

https://nordvpn.com/blog/is-lastpass-secure/

Senecio

2713 posts

Uber Geek

ID Verified

Lifetime subscriber

#2223281 24-Apr-2019 16:18

Having read this I've decided to take my online security a bit more seriously. I've been fortunate thus far not to have been compromised despite doing everything (through sheer laziness) to make it as easy as possible for someone.

What's the current consensus of GZ on the current password managers? What are we all using?

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2223286 24-Apr-2019 16:24

I use LastPass. And Authy for 2FA - or Yubikey if the service supports it.

Jase2985

13463 posts

Uber Geek

ID Verified

Lifetime subscriber

#2223303 24-Apr-2019 16:59

freitasm:

I use LastPass. And Authy for 2FA - or Yubikey if the service supports it.

Ditto for me

Lastpass has apps for everything i use, and authy has a mobile app along with a desktop app which is great as a backup in case you loose your phone

djtOtago

1153 posts

Uber Geek

#2223304 24-Apr-2019 17:02

freitasm:

I use LastPass. And Authy for 2FA - or Yubikey if the service supports it.

Ditto

nunz

1421 posts

Uber Geek
Inactive user

#2223370 24-Apr-2019 20:29

Senecio:
Having read this I've decided to take my online security a bit more seriously. I've been fortunate thus far not to have been compromised despite doing everything (through sheer laziness) to make it as easy as possible for someone.

What's the current consensus of GZ on the current password managers? What are we all using?

Keepass. It integrates with firefox, runs on linux, android and pc.

Im a bit of a control freak ... too many issues with third party options.

E.g. i believe one of the password systems is owned by logmein. I got burned by them stopping products we had rolled out to many clients and also big price hikes. Close to 700%in one year. Keepass lets me pen drive for off line use too.

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2223417 24-Apr-2019 21:39

What low entropy means: "A 'BLOCKCHAIN BANDIT' IS GUESSING PRIVATE KEYS AND SCORING MILLIONS"

or the blockchain bandit in particular, it's not clear if simple weak key thefts comprise the majority of their stolen wealth. The bandit could have deployed other tricks, such as guessing the pass-phrases for "brain wallets"—addresses that are secured with memorizable words, which are more easily brute-forced than fully random keys. One team of security researchers found evidence in 2017 of 2,846 bitcoins stolen with brain-wallet thefts, worth more than $17 million at current exchange rates. One single Ethereum brain-wallet theft in late 2015 made off with 40,000 ether, nearly as big a haul as the blockchain bandit's.

Not convinced that words and passphrases are weak? From someone else "Researchers checked 34 billion insufficiently random Ethereum keys, and found that 732 of the associated addresses had already been emptied, likely by thieves. One of those thieves had amassed a fortune that was at one point worth $54 million."

dafman

3928 posts

Uber Geek

Trusted

#2223467 25-Apr-2019 08:45

nunz:
Senecio:

Having read this I've decided to take my online security a bit more seriously. I've been fortunate thus far not to have been compromised despite doing everything (through sheer laziness) to make it as easy as possible for someone.

What's the current consensus of GZ on the current password managers? What are we all using?

Keepass. It integrates with firefox, runs on linux, android and pc.

Im a bit of a control freak ... too many issues with third party options.

E.g. i believe one of the password systems is owned by logmein. I got burned by them stopping products we had rolled out to many clients and also big price hikes. Close to 700%in one year. Keepass lets me pen drive for off line use too.

+1 for Keepass. It's a simple encrypted password safe that's not tied to any third party. Fully functional apps for both PC and android. When I used iPhone a few years back there was an app for viewing but you couldn't update via the iPhone - not sure if this has changed.

1 | 2 | 3 | 4 | 5 | 6