Page 1 2
Go | New | Find | Notify | Tools | Reply | |
Nullus Anxietas |
I've observed a recent uptick in brute force (*) attacks on email accounts over the past couple days on all three of the servers I administer. It isn't intense, in fact so low-level they're unlikely to be successful, but it's definitely an increase. Primary defense against this kind of thing is a long(ish), strong, randomized password, consisting of non-word upper- and lower-case letters, plus digits and punctuation. E.g.: "ahNg9eese4%", "Gaengi9Iek!!", "ei$Cohs9eeb" It should go without saying, but I know some still haven't gotten the message: You should never share passwords across multiple accounts. (*) A "brute force" attack is an attempt to get through the front door by repeatedly guessing user credentials. Usually passwords, where the username part is already known. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | ||
|
| Member |
and multi factor authentication. We are seeing a lot of attacks from Russia and Londen. | |||
|
goodheart |
Ensigmatic, I used Dice Ware for passwords. I actually throw the dice to get each character, use 6-7 characters. Is that good? _________________________ “Remember, remember the fifth of November!" | |||
|
| Needs a check up from the neck up  |
2 Factor identification is a must. Getting reports of our server getting hit very often at work __________________________ The entire reason for the Second Amendment is not for hunting, it’s not for target shooting … it’s there so that you and I can protect our homes and our children and and our families and our lives. And it’s also there as fundamental check on government tyranny. Sen Ted Cruz | |||
|
| Member |
I'm hearing short but complex passwords are out and longer, multi-word passwords are in because it's not that hard to crack shorter passwords. Basically, use something like GlockAndHickoryStick8 instead of G10ck8nd#8 | |||
|
For real? |
I'm getting random late night attempts from Vietnam into my email accounts. Not minority enough! | |||
|
| Nullus Anxietas |
Doesn't work with a POP3/IMAP + submission email client, though.
The ones that have been hitting my servers the last couple days have been snow-shooing in network space from Ireland and Russia.
Diceware can't be beat for entropy (randomness) but 7-8 characters is not long enough. Minimum of ten characters, these days. Longer, if possible.
As in this:  This is true... -ish. That position is based upon the assumption that the password store (*), itself, has been compromised and the crackers can apply brute-force cracking attempts upon it directly, as opposed to coming in through the front door, as in what I'm seeing. That being said: I use way longer pass phrases on things that can be brute-forced in-place without an alarm being raised that it's happening. E.g.: WiFi access point passwords/pass phrases. And, of course, my electronic keyring (password safe). (*) The "password store" (storage) is the database that contains the encrypted passwords. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| Eschew Obfuscation |
I think password managers have really improved over the last couple of years such that everyone should be using one. _____________________________________________________________________ “One of the common failings among honorable people is a failure to appreciate how thoroughly dishonorable some other people can be, and how dangerous it is to trust them.” – Thomas Sowell | |||
|
| Shit don't mean shit |
Isn't the simplest solution to implement a policy of only allowing X number of tries before the account logins are disabled for Y minutes? How many attempts does your system allow before locking the user out? Also, in the example of "correct horse battery staple" above, if you can't share Passwords across accounts do you need different phrases for each login? Or would "correct horse battery staple" be used for multiple accounts? | |||
|
Oriental Redneck |
Stupid question: How do you know they are attacking your account? Any accounts? Q | |||
|
| Nullus Anxietas |
That works great for manual logins. Not so much for logins that may be automated. E.g.: Email clients such as those to which I earlier referred re-login every NN minutes. If there were network issues between such a client and the server to which it was connected, it could cause problems. Never mind the complexity of keeping track of the state of essentially stateless connections on the server side, and the reactions of end-users when they find they're locked out and they didn't nothing wrong or untoward, but somebody from another part of the world was taking shots at their account.
Yes.
Absolutely not. The reason for complex passwords and pass phrases is to thwart brute force password cracking. The reason for never reusing them is so if one pass thingy is compromised, you're not compromised everywhere.
Not a stupid question at all, Q  I know because I administer the servers in question and see the activity in the daily server log summaries.If you mean how does an average Joe or Jane end-user know? They won't. Unless their account is compromised. The purpose of my warning was to share with my friends on SF this is happening. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| So let it be written, so let it be done...  |
Thanks for the info! I've heard of programs that can cycle through guesses at incredible speeds. It makes me wonder though - how fast can they attempt a login to an account, enter a password, and receive a response? 'veritas non verba magistri' | |||
|
| Nullus Anxietas |
You're welcome.
Yes. I've used such software, when I was still employed, to occasionally vet the password databases at work for weak credentials. But I had direct access to the password stores.
Not very. Long, involved explanation, but such brute-force attacks over the Internet have a low probability of succeeding unless the attacker gets lucky. My aim is to prevent them getting lucky "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| Oriental Redneck |
Yeah, I was wondering if average Q like me would know at all. Well, that kind of sucks, because you want to be preventive, not wait until the dam is already breached. Thanks. Q | |||
|
| Eschew Obfuscation |
I remember a few years ago someone created an animation of a DDoS attack on a server. That was an eye opener. _____________________________________________________________________ “One of the common failings among honorable people is a failure to appreciate how thoroughly dishonorable some other people can be, and how dangerous it is to trust them.” – Thomas Sowell | |||
|
Alea iacta est |
I use last pass and it generates a secure password for me. All I do is set the length. Here is a 12 character example: bn!C27#fnW41 The “lol” thread | |||
|
| Member |
I highly recommend 1Password for a password manager. You can set up a group account for everyone in your family as well. With that you’ll get your own vault for each member that isn’t accessible by anyone else as well as set up a group vault that everyone can have access to if you want. It’s usable across all platforms as well. We’ve been using it for years now and it’s been extremely useful. Passwords isn’t all that’s it’s good for either...you can use it for secure notes etc as well. | |||
|
eh-TEE-oh-clez |
Correct. More bits of entropy. "This Password Is Better Than Yours And An ! And 1 To 6 Numbers" makes a good password =) | |||
|
אַרְיֵה |
Damn! You guessed my password! הרחפת שלי מלאה בצלופחים | |||
|
Member |
Passwords of 32 character length, with upper and lower case, numbers and special attributes are becoming more in use. And not so long ago, using a movie title as a password was very difficult to crack, whether using brute force, rainbow tables ... Example Happy Gilmour - H@ppyGi1m0r5. Yeah, for some reason, a swath of Adam Sandler movies. To limit potential cyber security incidents: Least privilege - restrict administrative privileges Multi factor authentication - if available eg gmail accounts. Patch the OS And backup! Further, to mitigate and prevent malware: Patch applications Web browsers - block Flash or uninstall. Block ads and Java Block macros from the internet Application control Not to worry if the above doesn't make much sense, but at least you may recall and may now take some steps to protect your email, contacts and online activities. What ensig is saying - if you haven't changed your password of late, now is the time to do so. Separate passwords for your email accounts. Different passwords for your online viewing accounts, such as Netflix. Different password for online banking. And so forth. Yes, it is easy to remember the same password for everything. A compromise of one leads to the others. At the very least, does you online banking app allow for two factor (2FA) or multi factor (MFA). Your password and a PIN sent to your phone via SMS, examples of 2FA. Now is a really a great time to review ... We are all born ignorant, but one must work hard to remain stupid." ~ Benjamin Franklin. "If anyone in this country doesn't minimise their tax, they want their head read, because as a government, you are not spending it that well, that we should be donating extra...: Kerry Packer SIGForum: the island of reality in an ocean of diarrhoea. | |||
|
| Powered by Social Strata | Page 1 2 |
 | Please Wait. Your request is being processed... |
|
© SIGforum 2024