WebApp Sec mailing list archives
Re: looking for a webapp bruteforce video for non-techies
From: "Robin Wood" <dninja () gmail com>
Date: Tue, 3 Jun 2008 18:09:38 +0100
2008/6/3 Paul Melson <pmelson () gmail com>:
That may not actually be such a bad password (on balance and in context). Sure it is a dictionary/leet word variant, but five characters actually carry plenty of entropy (if mixed case and numerics are also used). However, if you have an authentication mechanism that doesn't lock out an account and *allows* brute forcing, it doesn't really matter how strong the password is; given enough universe-lifetimes an attacker will always guess it eventually.I second Martin's comment. There's no point in talking to users about password selection if the application doesn't A) lock the account after X number of failed attempts *AND* B) force password expiration/rotation. There's a very basic mathematical formula found in the Department of Defense Password Management Guideline[1] that can be used to calculate the risk associated with any particular password policy versus brute force guessing. Definitely required reading for anyone designing or specifying a password authentication mechanism.
Let me restate the question: I have a client who uses the same, really easy, really guessable password for all the sites he visits. It is a 5 letter word with one character changed to a numeric, if you know his name, you'll probably guess his password within a couple of attempts. I've explained the problem with this to him and I've preached as much as I can. I know all about secure passwords, entropy and stuff like that but all I want is a couple of minute video that shows someone launching something like hydra, setting it up by clicking a few buttons, clicking go then a few minutes later a password pops out somewhere. All I'm after is the viewer sitting back and going "wow, is it that easy to break my password" then going through and changing it to something a more secure. So, I'm not after advice on how to build a secure login system, just a video to scare users with. Robin ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- looking for a webapp bruteforce video for non-techies Robin Wood (Jun 03)
- RE: looking for a webapp bruteforce video for non-techies Martin O'Neal (Jun 03)
- RE: looking for a webapp bruteforce video for non-techies Paul Melson (Jun 03)
- Re: looking for a webapp bruteforce video for non-techies Robin Wood (Jun 03)
- RE: looking for a webapp bruteforce video for non-techies Paul Melson (Jun 03)
- Re: looking for a webapp bruteforce video for non-techies Jakub (Jun 03)
- Re: looking for a webapp bruteforce video for non-techies Dan Walker (Jun 03)
- Message not available
- Re: looking for a webapp bruteforce video for non-techies Robin Wood (Jun 03)
- RE: looking for a webapp bruteforce video for non-techies Martin O'Neal (Jun 03)
- Re: looking for a webapp bruteforce video for non-techies pand0ra (Jun 03)
- Re: looking for a webapp bruteforce video for non-techies Anthony Cicalla (Jun 03)
- Re: looking for a webapp bruteforce video for non-techies Anthony Cicalla (Jun 03)
- <Possible follow-ups>
- RE: RE: looking for a webapp bruteforce video for non-techies admin (Jun 03)