News:

The default theme for this site has been updated. For further information, please take a look at the announcement regarding HAF changing its default theme.

Main Menu

Forum Security Updates

Started by Whitney, January 04, 2011, 06:12:05 PM

Previous topic - Next topic

TheWilliam

Damn. So in thirty days I have to loose my favorite forum and go back to posting with the short bus crowd.

Whitney

Quote from: "TheWilliam"Damn. So in thirty days I have to loose my favorite forum and go back to posting with the short bus crowd.

?

Tank

I think something is still 'pecking' at the passwords as I have tried to get in twice today and in both cases I got the 'exceeded attempts' message even though I was very careful to enter my details correctly.
If religions were TV channels atheism is turning the TV off.
"Religion is a culture of faith; science is a culture of doubt." ― Richard P. Feynman
'It is said that your life flashes before your eyes just before you die. That is true, it's called Life.' - Terry Pratchett
Remember, your inability to grasp science is not a valid argument against it.

OldGit

Something is going on.  Yet again I had the devil of a job to get in today and had to do about five captchas - very carefully - before I finally got in.
Then the same thing happened to me on the Venganza forum, which is also a php board.  I've never had that before.

So, is our phantom attacker going for other forums, or is there a fault with the boards?

Tank

Quote from: "OldGit"Something is going on.  Yet again I had the devil of a job to get in today and had to do about five captchas - very carefully - before I finally got in.
Then the same thing happened to me on the Venganza forum, which is also a php board.  I've never had that before.

So, is our phantom attacker going for other forums, or is there a fault with the boards?
I'm not experiencing this on the other atheist forum I frequent and they are phpBB driven so I assume it's some bot focussing on us for some reason.
If religions were TV channels atheism is turning the TV off.
"Religion is a culture of faith; science is a culture of doubt." ― Richard P. Feynman
'It is said that your life flashes before your eyes just before you die. That is true, it's called Life.' - Terry Pratchett
Remember, your inability to grasp science is not a valid argument against it.

OldGit

This link was posted on Venganza, where a lot of people have had trouble today.

http://sharethefiles.com/forum/viewtopic.php?f=85&t=186493

lookitsaustin

Is there a password length max? I could come up with something really long if we can use special characters too. As of right now my password is insanely long because Gawen told me that accounts here try to get hacked a lot.

Whitney

Quote from: "lookitsaustin"Is there a password length max? I could come up with something really long if we can use special characters too. As of right now my password is insanely long because Gawen told me that accounts here try to get hacked a lot.

This is only a recent problem that started last month.

I don't know if there is a length max; it doesn't say there is in the settings.  Those that know more about this than me seem to think a typically strong password that includes special characters in addition to mixed case is sufficient.

Davin

Quote from: "Whitney"
Quote from: "lookitsaustin"Is there a password length max? I could come up with something really long if we can use special characters too. As of right now my password is insanely long because Gawen told me that accounts here try to get hacked a lot.

This is only a recent problem that started last month.

I don't know if there is a length max; it doesn't say there is in the settings.  Those that know more about this than me seem to think a typically strong password that includes special characters in addition to mixed case is sufficient.
They're usually hashed, so there should be no hard limit. Things like an MD5 hash will turn anything into like a 32 character string: 2GB Linux iso's, 400 character passwords or even just one character strings. So I'm pretty sure you can have a really long password.
Always question all authorities because the authority you don't question is the most dangerous... except me, never question me.

Tank

As long as a password does not contain contiguous characters that form a word e.g. PASS2WORD, but is like Pa22W0Rd then you can rule out dictionary searches. The search then becomes a case of number crunching. If a password contains alphabetical characters, UPPER and lower case and numeric characters then each character in a password can have 26 + 26 + 10 characters, 62 possible characters in any one place. Each character in the password is theoretically one of those 62 options.

Thus the number of possible combinations for passwords for a given number of characters is:-



The times are based on a system capable of making 1,000,000 attempts per second.

Thus a random 8 character password could take up to 7 years to crack if the last combination were the correct combination. But any one attempt would have a 218,340,105,584,896:1 chance of being correct. The odds of winning the UK national lottery are 14,000,000:1 So a random combination is best for a password but poor for memorising. Thus avoid any combination of values likely to be available to hackers even by guesswork.

Adding special characters makes shorter passwords more effective, but if you create a password relating to real world entities and human mind may well crack it regardless of the characters used. I would suspect we are being attacked by a human not a bot so I'm sure that pure random passwords like 8K3f800e are the best way to go, but ha99yAthEIST while longer, and thus more effective against a brute force attack, would not be a good idea when faced with a human hacker.
If religions were TV channels atheism is turning the TV off.
"Religion is a culture of faith; science is a culture of doubt." ― Richard P. Feynman
'It is said that your life flashes before your eyes just before you die. That is true, it's called Life.' - Terry Pratchett
Remember, your inability to grasp science is not a valid argument against it.

Whitney

Quote from: "Tank"I would suspect we are being attacked by a human not a bot

I would agree, if it were a bot I would have to put int he captcha every time I sign in (because my 1 attempt to sign in correctly would have already been used up by the bot).  I only have to do it once or twice a day.

metaed

Tank's chart does not take into consideration that technology will get faster over time. Let us say that every 1.5 years it should become possible to make about twice as many attempts per second as before (approximation of Moore's Law). And let's preserve Tank's other assumptions:
  • password generated randomly using upper case, lower case, and numerals
  • initial system capable of making 1 million attempts per second
It may surprise you to learn that the time to try all long passwords of N digits becomes a constant: about 8.9 years per digit.

The time to try all 8 digit passwords goes from 7 years to 4 years. The time to try all 9 digit passwords goes from 430 years to 12 years. And the time to try all 10 digit passwords goes from 26687 years to 21 years!

Now notice: because of the progressive speedup of technology, you will have only gotten half the work done when you have 1.5 years of work left. But you'll still finish the job in the last 1.5 years. This suggests a much cheaper strategy for trying all N digit passwords: figure out when you'd be done if you started now. Start then, and you'll be completely done only 1.5 years later than if you started now.

Cheers,

MetaEd

P.S. Odds are that anyone who tries to brute force my password will only succeed long after I'm dead.
--
Sometimes they fool you by walking upright.

metaed

Quote from: "Whitney"I would agree, if it were a bot I would have to put int he captcha every time I sign in (because my 1 attempt to sign in correctly would have already been used up by the bot).  I only have to do it once or twice a day.
Bots sometimes try to avoid detection by operating at a slower speed than what they're capable of.
--
Sometimes they fool you by walking upright.

Tank

Quote from: "metaed"Tank's chart does not take into consideration that technology will get faster over time. {snip}
I was just offering an insight, not writing a thesis. So please don't assume why I left out some points simply to create a presentable post relevant to the audience.
If religions were TV channels atheism is turning the TV off.
"Religion is a culture of faith; science is a culture of doubt." ― Richard P. Feynman
'It is said that your life flashes before your eyes just before you die. That is true, it's called Life.' - Terry Pratchett
Remember, your inability to grasp science is not a valid argument against it.

Whitney

Quote from: "metaed"
Quote from: "Whitney"I would agree, if it were a bot I would have to put int he captcha every time I sign in (because my 1 attempt to sign in correctly would have already been used up by the bot).  I only have to do it once or twice a day.
Bots sometimes try to avoid detection by operating at a slower speed than what they're capable of.

Oh, ya that would make sense too.

My pw is pretty long, contains no real words, no numbers that are mean anything, and is mixed case....so I think I'm okay.  I can't even remember the damned thing.