HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Brute force password attack

I recently downloaded and installed Vanilla Forums on my laptop to test before I upload it to my website. During testing I noticed that there is no protection against brute force password attacks. The login system only blocks password attempts that are faster than 1 second (as far as I know).

So if a hacker writes a script that attempts to log into an account every 1.5 seconds, they can try 57,600 different passwords in one day or 403,200 in a week. That’s quite scary to me or am I missing something?

Would it not be better to have a reCAPTCHA pop up after a few failed login attempts or maybe make waiting time longer between failed log in attempts?

Comments

  • LincLinc Former Staff Detroit Admin

    http://www.lockdown.co.uk/?pg=combi&s=articles

    By applying 1/sec rate limiting, we've reduced the ability of a brute force to be 1/10,000th the speed of a Class A (slowest) attack on that page.

    That puts a terrible password of 6 lowercase letters at 9.7 years to brute force.

    I believe our current safeguard is sufficient.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    @Linc said:
    I believe our current safeguard is sufficient.

    You should change the password for your ATM .... :proud:

    K17
  • Thanks for your reply. The link you posted is very interesting. To be honest I still think the current login system is weak, because it can be attacked by a script that runs through thousands of common passwords.

    Some people use easy passwords and they use the same password for everything. So if a hacker gains a person’s forum password, they maybe able to gain access to their email address, financial stuff, etc.

    I think the login system could be much improved with reCAPTCHA after maybe 5 failed login attempts. I don’t think it would affect usability much either. If you can’t remember your password after 5 failed login attempts, it would probably be easier to just reset your password than try another 20 times.

  • there is nothign stopping you adding brute force protection. There is already plug ins

    https://open.vanillaforums.com/addon/loginthrottle-plugin
    https://open.vanillaforums.com/addon/loginguard-plugin

    You can also create your own.

    grep is your friend.

  • LincLinc Former Staff Detroit Admin

    I don't recommend plugin solutions for problems created by gut reactions and feelings rather than critical thinking. It contributes to FUD.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!