WebApp Sec mailing list archives
RE: RE: looking for a webapp bruteforce video for non-techies
From: admin () systemstates net
Date: Tue, 03 Jun 2008 09:38:50 -0700
-------- Original Message -------- Subject: RE: looking for a webapp bruteforce video for non-techies From: "Martin O'Neal" <martin.oneal () corsaire com> Date: Tue, June 03, 2008 5:01 pm To: "Robin Wood" <dninja () gmail com>, <webappsec () securityfocus com>, "pen-test" <pen-test () securityfocus com>It didn't help that the password was only 5 characters!That may not actually be such a bad password (on balance and in context). Sure it is a dictionary/leet word variant, but five characters actually carry plenty of entropy (if mixed case and numerics are also used). However, if you have an authentication mechanism that doesn't lock out an account and *allows* brute forcing, it doesn't really matter how strong the password is; given enough universe-lifetimes an attacker will always guess it eventually.
I saw one setup where I could recover three quarters (about four thousand) of one set of passwords on a Celeron 2GHz in under an hour. Another set of passwords were forced to 4-digits (insane, I know), and due to the number of users, each would share his/her password with about 4 other people. The point is here, you wouldn't necessarily break any per-user lockout limits, because you could take thirty minutes looping over the entire userbase with the same password, then start again and still get a good number of cracks. So, definitely depends on the size of your userbase and whether they can be effectively enumerated. Even so, I wouldn't regard any dictionary word with one character tweaked as secure these days. cheers, -- www.systemstates.net - penetration test / IDS / incident response ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- looking for a webapp bruteforce video for non-techies Robin Wood (Jun 03)
- RE: looking for a webapp bruteforce video for non-techies Martin O'Neal (Jun 03)
- RE: looking for a webapp bruteforce video for non-techies Paul Melson (Jun 03)
- Re: looking for a webapp bruteforce video for non-techies Robin Wood (Jun 03)
- RE: looking for a webapp bruteforce video for non-techies Paul Melson (Jun 03)
- Re: looking for a webapp bruteforce video for non-techies Jakub (Jun 03)
- Re: looking for a webapp bruteforce video for non-techies Dan Walker (Jun 03)
- Message not available
- Re: looking for a webapp bruteforce video for non-techies Robin Wood (Jun 03)
- RE: looking for a webapp bruteforce video for non-techies Martin O'Neal (Jun 03)
- Re: looking for a webapp bruteforce video for non-techies pand0ra (Jun 03)
- Re: looking for a webapp bruteforce video for non-techies Anthony Cicalla (Jun 03)
- Re: looking for a webapp bruteforce video for non-techies Anthony Cicalla (Jun 03)
- <Possible follow-ups>
- RE: RE: looking for a webapp bruteforce video for non-techies admin (Jun 03)