How (un)secure do you consider passwords

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: How (un)secure do you consider passwords

Post by superdezign »

kaisellgren wrote:
superdezign wrote:Well, if you can't remember your password after 2 unsuccessful tries, you should be requesting "Reset Password" soon anyway.
Not exactly my point. I'm receiving from 200 to 300 attempts for usernames "admin" and "kaisellgren" in one of my websites everyday. So, I would be typing CAPTCHAs for each login procedure.
Then you could display the captcha after the account lock on normal accounts, and for every attempt on administrative accounts.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How (un)secure do you consider passwords

Post by Mordred »

kaisellgren wrote:
superdezign wrote:Well, if you can't remember your password after 2 unsuccessful tries, you should be requesting "Reset Password" soon anyway.
Not exactly my point. I'm receiving from 200 to 300 attempts for usernames "admin" and "kaisellgren" in one of my websites everyday. So, I would be typing CAPTCHAs for each login procedure.
That doesn't sound as a bad thing, you get to get warned that the attack is going on (if you don't have other warning measures, that is)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How (un)secure do you consider passwords

Post by kaisellgren »

superdezign wrote:Then you could display the captcha after the account lock on normal accounts, and for every attempt on administrative accounts.
I could use CAPTCHA on administrative accounts by default, but the strength of my login credentials is enough for my purpose and the same applies to all administrators. It's a question about usability and security. If someone wants to brute force our login system, he would need so much time that the sun will explode before he succeeds unless he is very very lucky. It would be wiser to find another way to get in.
Mordred wrote:That doesn't sound as a bad thing, you get to get warned that the attack is going on (if you don't have other warning measures, that is)
True, although I prefer keep responsibilities where they belong meaning that CAPTCHAs would distinguish between humans and bots and let my system, which told me about "suspicious activity", to alert me.
AlexC
Forum Commoner
Posts: 83
Joined: Mon May 22, 2006 10:03 am

Re: How (un)secure do you consider passwords

Post by AlexC »

arjan.top wrote:not per ip, per username, you add a counter to the user table, every unsuccessful attempt would increment the count, count would be set to 0 when captcha is solved
I take it this method you use, blocks the account after so many failed attempts? If so, bring on the mass user-account blocking. Probably equally as annoying as having the actual account breached. You shouldn't fix failed attempts to a users account.
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: How (un)secure do you consider passwords

Post by arjan.top »

nothing is blocked, user just has to solve the captcha the next time she logs in
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: How (un)secure do you consider passwords

Post by superdezign »

I've also seen companies use blocks successfully. Their "CAPTCHA" is a phone call. ;)
Post Reply