Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Correct me if I'm wrong, but aren't you describing a dictionary attack, not brute force?


I guess I just see a dictionary attack as a subset of brute force in that it's still a pretty naive attack, but it's not raw brute force.

OTOH I don't see why anyone would bother using a raw brute force attack against a password rather than just grabbing a dictionary of the most common passwords and exhausting those first.

In reality you are likely to run out of guesses before you hit the end of a common password list anyway.


A good system should take a significant but not intolerable amount of time to reject a bad password. Just a few seconds will impose a huge burden on a remote dictionary attack, while not diminishing the experience for a user who legitimately fat-fingers a password.

Also use fail2ban to impose a lockout after a certain number of failures. The lockout does not have to be permanent, it just has to make a remote dictionary attack so time-consuming as to be infeasible (of course this does open up a DOS vector, depending on how you implement the lockout).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: