Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
1384 posts

Uber Geek

Subscriber

  # 2222041 22-Apr-2019 10:41
One person supports this post
Send private message

One of the best things a web master can do is have a system that generates passwords for users...not allowing them to use their own passwords. Forces good practice.

However thats not convenient to users and they baulk at it.

The other is looking up user passwords in the cracked dbs online and informing users if they are using a hacked password.

To stop brute force my servers put a 30 min ban on an ip after 3 fails. Then 24 hours after second set of fails within 24 hours. Then hard ban permanently. It doesnt matter if they fail the same user name or different ones. That stops name skipping.

I also check against fails from different ips on same username and run the same ban scheme as above.

Also i put immediate bans for attempts logging on as admin, root and a range of service names like postfix or www or apache.

Hope that helps explain how some admins stop brute forcing.




nunz

1903 posts

Uber Geek


  # 2222043 22-Apr-2019 10:44
Send private message

So, if i fail someone’s password on your site multiple times from a cgnat network I effectively DOS them?

 
 
 
 


gjm

754 posts

Ultimate Geek


  # 2222048 22-Apr-2019 10:55
One person supports this post
Send private message

Its 2019 and my ASB bank password is still not case sensitive...





[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

1903 posts

Uber Geek


  # 2222143 22-Apr-2019 12:59
Send private message

Same for westpac

1384 posts

Uber Geek

Subscriber

  # 2222476 23-Apr-2019 00:36
Send private message

MadEngineer: So, if i fail someone’s password on your site multiple times from a cgnat network I effectively DOS them?

They have my phone number if its genuine mess up. We also use harder to guess user names like seh01245 so brute forcing has to guess user names.

Fyi .. invalid user names also count in the ban list so three failed user name guesses is the same deal as 3 bad passwords. It produces much the same log message for fail2ban and other systems to pick up on.

Users would rather have you reset for them than let dipsticks screw with their data.

Where possible we blacklist all ip address and whitelist the clients. We also dont tend to use standard urls like /wp-admin.

Brute forcing a user name is not straight forward.

Hth
Shane




nunz

1384 posts

Uber Geek

Subscriber

  # 2222477 23-Apr-2019 00:44
One person supports this post
Send private message

MadEngineer: So, if i fail someone’s password on your site multiple times from a cgnat network I effectively DOS them?

Btw using a cgnat .. your port will give you away. I don't check for ports but if in the extremely unlikely event cgnat became an issue I'd look at reverse crawling the port back to source.

Or ask the isp to do the same and ban the end user.

I did it before .. the isp didnt even know the pillock was on their network until i called them up and let them know.

Most people have their own ip...especially with ipv6 growing in use.







nunz



BDFL - Memuneh
64625 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 2223228 24-Apr-2019 15:33
Send private message

Saw this one on Twitter today. Look at those rules - they try to make as easier as possible for brute force, don't they?

 

The password must be eight characters - no less, no more. It is not case sensitive and the characters are limited to the ones listed...

 





 
 
 
 


8868 posts

Uber Geek

Lifetime subscriber

  # 2223256 24-Apr-2019 15:54
Send private message

oh god that is horrible

 

i saw this article this morning

 

https://nordvpn.com/blog/is-lastpass-secure/

 

 


566 posts

Ultimate Geek


  # 2223281 24-Apr-2019 16:18
Send private message

Having read this I've decided to take my online security a bit more seriously. I've been fortunate thus far not to have been compromised despite doing everything (through sheer laziness) to make it as easy as possible for someone.

 

 

 

What's the current consensus of GZ on the current password managers? What are we all using?




BDFL - Memuneh
64625 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

8868 posts

Uber Geek

Lifetime subscriber

  # 2223303 24-Apr-2019 16:59
Send private message

freitasm:

 

I use LastPass. And Authy for 2FA - or Yubikey if the service supports it.

 

 

Ditto for me

 

Lastpass has apps for everything i use, and authy has a mobile app along with a desktop app which is great as a backup in case you loose your phone


526 posts

Ultimate Geek

Subscriber

  # 2223304 24-Apr-2019 17:02
Send private message

freitasm:

 

I use LastPass. And Authy for 2FA - or Yubikey if the service supports it.

 

 

Ditto


1384 posts

Uber Geek

Subscriber

  # 2223370 24-Apr-2019 20:29
Send private message

Senecio:

Having read this I've decided to take my online security a bit more seriously. I've been fortunate thus far not to have been compromised despite doing everything (through sheer laziness) to make it as easy as possible for someone.


 


What's the current consensus of GZ on the current password managers? What are we all using?


Keepass. It integrates with firefox, runs on linux, android and pc.

Im a bit of a control freak ... too many issues with third party options.

E.g. i believe one of the password systems is owned by logmein. I got burned by them stopping products we had rolled out to many clients and also big price hikes. Close to 700%in one year. Keepass lets me pen drive for off line use too.




nunz



BDFL - Memuneh
64625 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 2223417 24-Apr-2019 21:39
Send private message

What low entropy means: "A 'BLOCKCHAIN BANDIT' IS GUESSING PRIVATE KEYS AND SCORING MILLIONS"

 

 

or the blockchain bandit in particular, it's not clear if simple weak key thefts comprise the majority of their stolen wealth. The bandit could have deployed other tricks, such as guessing the pass-phrases for "brain wallets"—addresses that are secured with memorizable words, which are more easily brute-forced than fully random keys. One team of security researchers found evidence in 2017 of 2,846 bitcoins stolen with brain-wallet thefts, worth more than $17 million at current exchange rates. One single Ethereum brain-wallet theft in late 2015 made off with 40,000 ether, nearly as big a haul as the blockchain bandit's.

 

 

Not convinced that words and passphrases are weak? From someone else "Researchers checked 34 billion insufficiently random Ethereum keys, and found that 732 of the associated addresses had already been emptied, likely by thieves. One of those thieves had amassed a fortune that was at one point worth $54 million."





2866 posts

Uber Geek

Trusted
Subscriber

  # 2223467 25-Apr-2019 08:45
Send private message

nunz:
Senecio:

 

Having read this I've decided to take my online security a bit more seriously. I've been fortunate thus far not to have been compromised despite doing everything (through sheer laziness) to make it as easy as possible for someone.

 

What's the current consensus of GZ on the current password managers? What are we all using?

 


Keepass. It integrates with firefox, runs on linux, android and pc.

Im a bit of a control freak ... too many issues with third party options.

E.g. i believe one of the password systems is owned by logmein. I got burned by them stopping products we had rolled out to many clients and also big price hikes. Close to 700%in one year. Keepass lets me pen drive for off line use too.


 

+1 for Keepass. It's a simple encrypted password safe that's not tied to any third party. Fully functional apps for both PC and android. When I used iPhone a few years back there was an app for viewing but you couldn't update via the iPhone - not sure if this has changed.


1 | 2 | 3 | 4 | 5 | 6
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36


2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17


Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46


Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51


Facebook Portal to land in New Zealand
Posted 19-Sep-2019 18:35


Amazon Studios announces New Zealand as location for its upcoming series based on The Lord of the Rings
Posted 18-Sep-2019 17:24


The Warehouse chooses Elasticsearch service
Posted 18-Sep-2019 13:55


Voyager upgrades core network to 100Gbit
Posted 18-Sep-2019 13:52


Streaming service Acorn TV launches in New Zealand with selection with British shows
Posted 18-Sep-2019 08:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.