| Author |
 Topic  |
|
Asha
Starting Member
39 Posts |
 Posted - 05 May 2003 : 20:09:53
|
Given Snitz's popularity, it seems likely that one day, someone will write a little program to find all the Snitz forums on the web that it can, look up who the admins are, and try a dictionary attack on their passwords. This is a standard kind of attack.
Modifying one forum's source won't address this type of attack.
My main goal was to raise this vulnerability and let the Snitz heavy developers decide what, if anything, to do about it. It seems to me to be unwise to wait until an attack of this kind before doing something about it, but I do not have the same perspective as the Snitz developers, and maybe they see things here that I do not.
So, the situation has been reported, the Snitz developers are aware of it, and they can evaluate it as they see fit. I appreciate their having considered the vulnerability. If other people want to continue the discussion here, that is fine; otherwise, I think I'll move on. |
 |
|
|
Doug G
Support Moderator
USA
6493 Posts |
Posted - 06 May 2003 : 00:29:20
|
quote:
Modifying one forum's source won't address this type of attack.
I guess there is no hope then ...  |
======
Doug G
======
Computer history and help at www.dougscode.com |
|
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
|
|
laser
Advanced Member
Australia
3859 Posts |
Posted - 06 May 2003 : 01:05:26
|
Yes, Asha, but any Forum Admin worth their salt would understand enough about "stuff" to NOT fall victim of a dictionary password attack.
All the Snitz code is there, just change it yourself to how you want it to work. Better still ... write a MOD and then everyone can join in the fun  |
|
|
|
TestMagic
Senior Member
USA
1568 Posts |
Posted - 06 May 2003 : 01:29:18
|
| Wouldn't it take something like a month of continuous processor power (PIII or so) to crack a password that is not based on dictionary words, not all numbers or letters, contains a _, ., or -, and is more than ten characters long? |
Snitz rocks! · Search 2 |
|
|
|
laser
Advanced Member
Australia
3859 Posts |
Posted - 06 May 2003 : 01:45:13
|
I have written some password-generating code before. I also ran the same code on my new P4, 2.2GHz laptop when I first got it. It was churning out about 27 million passwords/hour. This time includes password authentication, but that didn't take much time in the application I was using at the time.
A proper case-sensitive password with numbers would take years to break. |
|
|
|
TestMagic
Senior Member
USA
1568 Posts |
Posted - 06 May 2003 : 01:56:14
|
From a theoretical point of view, changing the super admin's login name is simply adding one more hurdle to leap to gain access; i.e., instead of one (the password), there are two. So it would seem logical that if two were better than one, then three would be better than two. And in a sense, the new super admin name would become simply an extension of the password.
I actually like the idea of having a login name different from the screen name, but I don't think my users would. After all, what is there to "steal" in a forum such as this? |
Snitz rocks! · Search 2 |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 06 May 2003 : 08:34:55
|
quote:
A proper case-sensitive password with numbers would take years to break.
That would have to be quite a lengthy password, though thats a year to search the entire keyspace, it's not improbable that the correct password could be located in the first month or two of searching
To brute-force one average length SHA256 Password 8-10 characters takes a little under a month of time on a single machine of around 2Ghz (trust me I've done it a few times), length of time is obviously dependant on the size of the keyspace (length of password) and the algorithim used to encrypt it for instance MD5 doesnt take anywhere near that long, even a 14 Character NT password doesn't take me much longer than about 1 week now (though I split the work up over 7 machines) ... and before anyone asks why I'm "cracking" NT passwords, I do have a quite legitimate reason. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 06 May 2003 : 08:48:30
|
quote:
I do have a quite legitimate reason.
Uh-huh. Suuuuuure you do! |
Support Snitz Forums
|
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 06 May 2003 : 08:59:33
|
All Crackers have their reasons |
Edited by - GauravBhabu on 06 May 2003 09:05:27 |
|
|
|
Asha
Starting Member
39 Posts |
Posted - 06 May 2003 : 09:17:16
|
quote:
Originally posted by TestMagic
... I actually like the idea of having a login name different from the screen name, but I don't think my users would. After all, what is there to "steal" in a forum such as this?
All sorts of evil things could happen. It wouldn't be too cool if all the postings at snitz.com disappeared, for example, or if someone started impersonating someone else. If there was nothing bad that could happen, then Snitz wouldn't be set up to use passwords!
If only the admins and moderators had different login names than their display names, then the other users would never even have to think about the display name / login name distinction. Many forum users would not even be aware of the distinction. |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 06 May 2003 : 09:41:10
|
quote:
It wouldn't be too cool if all the postings at snitz.com disappeared
Thats why part of any security regime includes backup and restore procedures. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
davemaxwell
Access 2000 Support Moderator
USA
3020 Posts |
Posted - 06 May 2003 : 10:51:53
|
quote:
Originally posted by Asha
If only the admins and moderators had different login names than their display names, then the other users would never even have to think about the display name / login name distinction. Many forum users would not even be aware of the distinction.
Yeah, but then the users would have to learn a new userID/password combo when they are made admins/mods so those forum users would know that then anyways.
IMHO, the only thing we really should do that we aren't doing now is to force users to change their passwords on a regular basis. That would reduce the chances of people stealing passwords and/or sharing them with the world. Those passwords would only be valid for x number of days. |
Dave Maxwell
Barbershop Harmony Freak |
|
|
|
MasterOfTheCats
Junior Member
103 Posts |
Posted - 06 May 2003 : 13:21:16
|
A better aproach is to force different levels of password complesity. Similar to w2k AD install (min chars, mix of alphanumberic etc).
|
|
|
|
Doug G
Support Moderator
USA
6493 Posts |
Posted - 06 May 2003 : 14:03:17
|
3 strikes and you're out works well. You can easily add some code that blocks the user's IP for a few minutes to hours after x number of failed login attempts.
|
======
Doug G
======
Computer history and help at www.dougscode.com |
|
|
|
Topic |
|
Topic Locked
