Re: Likelihood of brute force attacks against web apps

[Dave Ferguson <dferguson () touchnet com>]

In scenario #2, rather than resetting the password, wouldn't it be better to have the user enter his e-mail address and then (asssuming it is a valid address in the system) have the system send an e-mail to that address with his current password?  

Thanks,
Dave F.

Saqib.N.Ali () seagate com wrote:
> Hello,
>
> Why don't you use captcha for both of these scenarios? It should prevent
> any brute force attacks.
>
> For scenario #2, you can restrict to 3 attempts from a given IP, within a
> 24 hour period.
>
> Thanks.
> Saqib Ali
> http://validate.sf.net
>
> Stephen de Vries <stephen () corsaire com> wrote on 10/12/2004 04:58:20 AM:
>
>
> > Hi list,
> >
> > We frequently warn clients of the risks of brute force or automated
> > attacks against their sites and recommend the use of CAPTCHA
> > (www.captcha.net) systems, or "secret questions" to mitigate this risk.
> >  For example:
> >
> > - The registration process does not use captcha like systems and could
> > allow attackers to use an automated script to generate thousands of
> > fictitious users.  These users can then be used to perform transactions
> > that could lead to financial loss (e.g. costs due to rejected credit
> > card), or waste resources through database access (and wasted storage).
> >
> > - The password reminder mechanism requires only the user's email
> > address which is used to send them an email for resetting their
> > password.  But since it requires no further auth from the user (such as
> > an answer to a secret question), an attacker could enumerate all the
> > valid email addresses registered to the site by writing a brute force
> > script and using a database of email addresses (this may be
> > particularly useful to a competitor).  Of course, if the email address
> > is used as the username, this problem becomes more serious.
> >
> > Although these risks are real - and I don't doubt they will be used in
> > the future - I'm not aware of any attacks of this sort being  conducted
> > in the past.  Is anyone aware of these types of attacks in real-world
> > scenarios?  Do you think these pose a serious threat?
> >
> > regards,
> > Stephen
> >
> >
> >  ----------------------------------------------------------------------
> >  CONFIDENTIALITY: This e-mail and any files transmitted with it are
> >  confidential and intended solely for the use of the recipient(s) only.
> >  Any review, retransmission, dissemination or other use of, or taking
> >  any action in reliance upon this information by persons or entities
> >  other than the intended recipient(s) is prohibited. If you have
> >  received this e-mail in error please notify the sender immediately
> >  and destroy the material whether stored on a computer or otherwise.
> >  ----------------------------------------------------------------------
> >  DISCLAIMER: Any views or opinions presented within this e-mail are
> >  solely those of the author and do not necessarily represent those
> >  of Corsaire Limited, unless otherwise specifically stated.
> >  ----------------------------------------------------------------------