Would this help deter brute force hacking?

[Chaotic42]

First of all, I'm really, really tired. This idea makes sense to me now, but I can't be sure that it really does have any logic to it. If not, forgive me.

What if the computer were set to reject all passwords, even correct ones, a random number of times before accepting the correct password? Would that help deter brute force attacks, since they would have to have three or four more attempts than they do now?

Here's an example. The password is "steve"

Enter Password: steve
Incorrect
Enter Password: steve
Incorrect
Enter Password: steve
Incorrect
Enter Password: steve
$

Since people who don't know the password would have no idea if they failed or if they got it right, it would slow them down.

Thoughts?

 

[rbrandon]

Go to sleep

 

[Chaotic42]

Originally posted by: rbrandon
Go to sleep

Can do!

 

[bsobel]

to reject all passwords, even correct ones, a random number of times before accepting the correct password? Would that help deter brute force attacks, since they would have to have three or four more attempts than they do now?

Let's say we randomly reject all passwords 1-4 times. For our example we will say that all passwords are 1 character and only consit of alpha-numeric chars (case sensitive). That gives us 62 unique password characters.

An attacker would have to try on average 62 * 2.5 (155) attempts to guess the password, with a worst case of 62 * 4 attempts 248.

Now, instead of randomly rejecting the password, lets instead increase our password length by one character. The attacker would have to attempt an average of (62 * 62) / 2 (1922) attempts with a worst case of 62*62 (3844) attempts .

So, simply put, increasing password complexity far exceeds the benefit from the idea suggested.

Sorry,
Bill

 

[Aluf]

In firewall technology it's named "port knocking" - when all ports are closed by default, but if some predefined sequence of port attempts occurs connection established. Haven't seen any extensive studies or trials whether it deters the attacker. But as always it's a question of RISK = VULNERABILITY*THREAT, so it depends from who and which types of attackers/attacks to defend.

 

[bsobel]

Originally posted by: Aluf
In firewall technology it's named "port knocking" - when all ports are closed by default, but if some predefined sequence of port attempts occurs connection established. Haven't seen any extensive studies or trials whether it deters the attacker. But as always it's a question of RISK = VULNERABILITY*THREAT, so it depends from who and which types of attackers/attacks to defend.

But it's not the same thing. In the scenario outlined here, you know that a password is required, in common use you'd know it could take up to N tries for that password to be accepted. Portknocking is about reducing the attacker footprint, externally the attacker doesn't even know that the service that requires the password is even running on the box.

Bill

 

[Nothinman]

What if the computer were set to reject all passwords, even correct ones, a random number of times before accepting the correct password? Would that help deter brute force attacks, since they would have to have three or four more attempts than they do now?

Why not just use the NT method of slowing down auth attempts after X amount of incorrect passwords? If the password is entered incorrectly 3 times, sleep for 2 seconds before prompting again and if it's wrong again sleep for 2.5, then 3, etc.

 

[drag]

I like the method of simply having complex passwords that can't be brute forced in any resonable amount of time then combine that with shutting off access after a certain amount attempts to stop abusers.

OR better yet use public key pairs on a USB keychain and avoid ever having to deal with passwords, then update and change that keypair on a regular basis. You can setup Linux to use a USB key thru setting up PAM modules (you can even completely disable password authentication if your so inclined), and you can setup OpenSSH to work with keypairs.

No Gimicks. Security thru obscurity is never a reliable solution.

 

[Wyck]

...and you'd be driving your users absolutely insane... especially when typos are thrown into the mix.

 

[DnetMHZ]

It's more annoyance for admins but why not just lock the account after x number of failed attempts?
Of course in addition to requiring complex and expiring passwords.

 

[skyking]

No Gimicks. Security thru obscurity is never a reliable solution

This statement by itelf is true. I do not use obscurity by itself.
Why run ssh through port 22, for example? I had kiddies filling the auth.log until I moved it to some higher random port. I still use strong passwords, but obscurity does limit your aggregate exposure.
Now the auth.log has only my logins
I could shut down the port at the router, but THAT requires me to open the router up to outside logins. I like my solution better. I can ssh back to the router if I need custom stuff done.

 

[Aluf]

Originally posted by: bsobel
But it's not the same thing. In the scenario outlined here, you know that a password is required, in common use you'd know it could take up to N tries for that password to be accepted. Portknocking is about reducing the attacker footprint, externally the attacker doesn't even know that the service that requires the password is even running on the box.

Bill

Yes of course they're different ,I brought it as an analogy to compare with, but I should have written conclusion remarks (my fault, oops) So given the quite randomizable nature of portknocking pattern (whereas in suggested password scheme one can only decide how many logins to count [and you can't be very creative here - who'd put up with entering password 10 times?]) nevertheless, the portknocking isn't regarded as plausible security measure at all (against whatever risk), therefore from my point of view the way to count logins would be just nuisance to users. Esp. from my experience you don't get your machine brute-forced as a matter of everyday routine, and if you do then chances are there's someone dedicated to breaking into this particular machine and password counting is useless and counterproductive (giving the false feeling of security).
Regards.

 

[bsobel]

Yes of course they're different ,I brought it as an analogy to compare with, but I should have written conclusion remarks (my fault, oops) So given the quite randomizable nature of portknocking pattern (whereas in suggested password scheme one can only decide how many logins to count [and you can't be very creative here - who'd put up with entering password 10 times?])

The root problem is your not adding enough additional bits to be usefull. As outlined the proposal (at best) adds 2 additonal bits. Adding another password char can add 5-6.

nevertheless, the portknocking isn't regarded as plausible security measure at all (against whatever risk)

We might want to follow this up in another thread, but I disagree (I've aruged this point many times as I was doing PN work years ago). Against a specific attacker who has knowledge of your network and services, it can be argued it's not usefull. But against a breadth of random attackers looking for 'open doors', it is usefull because it causes them to move onto another easier target. Much like the theory of having a club or car alarm on your vehicle. The theif that wants *that car* will still get it, but most thiefs want *a car* and will move to the one easiest to take.

Bill

 

[drag]

Originally posted by: skyking

No Gimicks. Security thru obscurity is never a reliable solution

This statement by itelf is true. I do not use obscurity by itself.
Why run ssh through port 22, for example? I had kiddies filling the auth.log until I moved it to some higher random port. I still use strong passwords, but obscurity does limit your aggregate exposure.
Now the auth.log has only my logins
I could shut down the port at the router, but THAT requires me to open the router up to outside logins. I like my solution better. I can ssh back to the router if I need custom stuff done.

I didn't say obsurity doesn't work, I said that it doesn't work reliably.

 

[VirtualLarry]

Ever play that old Activision game, "Hacker"? I think I still have it here on 5.25" somewhere. If you've played it, you would note the similarity to the OP.