GoFuckYourself.com - Adult Webmaster Forum - View Single Post

V_RocKs · 12-12-2005, 10:22 PM

Without image verification:

Bruteforce Basic Auth - 25,000 to 250,000 an hour depending on your connection.

Loss: 10 to 200 passwords a day. Used by 10 to 2000 people a day. Money lost is in the millions a year, BW costs are 50 times higher because these surfers are going to download the entire website since they don't know when they will get a password again. Login screen is unresponsive to others because it is being bruteforced which is essentially DOS'ing it.

Form Login - 8,000 - 50,000 tries per hour.

Loss - 5 to 50 passwords a day. Used by 5 to 500 surfers. Because the entire form is being sent at 70K per request, that is 1,750,000,000 bytes total or about a gig and a half per entry attempt. So without a security code you are wasting 87.5 gigs a day just to the login attempts. Add that to the 50 people site sucking 200gigs each... all of a sudden that ultra cheap BW is extremely expensive.

Many sponsors think that if they allow 'some' cracking to go on then it is OK because when the password monitoring scripts kick in and block the account, some of the surfers then break down and signup. This is not the case. You can go into many forums and IRC channels and have someone crack a password that will only be given to you. If someone else asks for one, they will crack them a different account. You password monitoring software will not stop them since they are not triggering any alarms...

#1 - Use MD5 password hashing, not DES. At least then they take a lot longer to crack if they steal your password file.
#2 - Encrypt passwords that go into the DB. Most of you have them stored in plain text or DES.
#3 - Make the users passwords for them. The only reason DES decrpytion even works is because most people use the same password EVERYWHERE. So if you run Nubiles.net and they still a comparable sites password file, your encrypted passwords are easy to crack.
#4 - Use a form login and a security code. Make sure that there is no other part of the website that you can force basic autentication. With some free/cheap authorization software you can bypass the form and code login by just entering a direct link to a file inside the members area.

Some of you require a member to choose a password with an uppercase letter and a number. Big mistake. You actually made it easier to guess passwords, not harder.

This password:

surkfloi

- requires 218,340,105,584,896 tries. Because I don't know if I need an uppercase letter, lowercase letter or a number for each place. 62 different combos per 8 places.
Or - 62*62*62*62*62*62*62*62
Surkflo1

- Now I know that 85% of the lazy American public will make the first letter a capital and the last character a 1. Now I need:
26*62*62*62*62*62*62*1 = 1,476,806,125,184

218340105584896/1476806125184=147

What do all of these numbers mean? Well, with DES I can decrypt the larger number and get a password to spit out about once every 3 months.. hardly worth the trouble. Doing the second number I can get a password about once or twice a day... And if I take over a few networked dual/quad XEON's I can do it in hours... Which means it is actually 147 times EASIER to get into your website when you require an uppercase letter and a number in the 6 to 8 character password.

Allow 6 character passwords and I can use my home machine to get about 5 password per hour... or 30 with the stolen .edu network.

12-12-2005, 10:22 PM
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,422	Without image verification: Bruteforce Basic Auth - 25,000 to 250,000 an hour depending on your connection. Loss: 10 to 200 passwords a day. Used by 10 to 2000 people a day. Money lost is in the millions a year, BW costs are 50 times higher because these surfers are going to download the entire website since they don't know when they will get a password again. Login screen is unresponsive to others because it is being bruteforced which is essentially DOS'ing it. Form Login - 8,000 - 50,000 tries per hour. Loss - 5 to 50 passwords a day. Used by 5 to 500 surfers. Because the entire form is being sent at 70K per request, that is 1,750,000,000 bytes total or about a gig and a half per entry attempt. So without a security code you are wasting 87.5 gigs a day just to the login attempts. Add that to the 50 people site sucking 200gigs each... all of a sudden that ultra cheap BW is extremely expensive. Many sponsors think that if they allow 'some' cracking to go on then it is OK because when the password monitoring scripts kick in and block the account, some of the surfers then break down and signup. This is not the case. You can go into many forums and IRC channels and have someone crack a password that will only be given to you. If someone else asks for one, they will crack them a different account. You password monitoring software will not stop them since they are not triggering any alarms... #1 - Use MD5 password hashing, not DES. At least then they take a lot longer to crack if they steal your password file. #2 - Encrypt passwords that go into the DB. Most of you have them stored in plain text or DES. #3 - Make the users passwords for them. The only reason DES decrpytion even works is because most people use the same password EVERYWHERE. So if you run Nubiles.net and they still a comparable sites password file, your encrypted passwords are easy to crack. #4 - Use a form login and a security code. Make sure that there is no other part of the website that you can force basic autentication. With some free/cheap authorization software you can bypass the form and code login by just entering a direct link to a file inside the members area. Some of you require a member to choose a password with an uppercase letter and a number. Big mistake. You actually made it easier to guess passwords, not harder. This password: surkfloi - requires 218,340,105,584,896 tries. Because I don't know if I need an uppercase letter, lowercase letter or a number for each place. 62 different combos per 8 places. Or - 6262626262626262 Surkflo1 - Now I know that 85% of the lazy American public will make the first letter a capital and the last character a 1. Now I need: 266262626262621 = 1,476,806,125,184 218340105584896/1476806125184=147 What do all of these numbers mean? Well, with DES I can decrypt the larger number and get a password to spit out about once every 3 months.. hardly worth the trouble. Doing the second number I can get a password about once or twice a day... And if I take over a few networked dual/quad XEON's I can do it in hours... Which means it is actually 147 times EASIER to get into your website when you require an uppercase letter and a number in the 6 to 8 character password. Allow 6 character passwords and I can use my home machine to get about 5 password per hour... or 30 with the stolen .edu network. Last edited by V_RocKs; 12-12-2005 at 10:24 PM..