View Single Post
Old 2009-12-01, 12:39 PM   #11
raymor
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
 
Join Date: Jan 2004
Posts: 178
Send a message via ICQ to raymor
It might be worth rephrasing what I said above since there are some
comments that may be unclear or misleading because the respondents
perhaps didn't pay close attention to your question. As you may know, we
sell the leading security system to protect you from brute force, but you do
NOT need to buy our product or any other, based on what you've said.
It sounds like your situation is one where you really don't need to worry
about brute force, probably, so don't let any scare tactics in sales pitches
you may come across confuse you. Although more sales for us would be
great, we do NOT want to sell you something you don't need.

That's based on your question in your initial post - "assuming I choose a
good long password ... ". That tells me that it's just you accessing it, we're
not talking about your members' area or another highly advertised URL.
In that case, and assuming you choose a password, or better pass phrase,
that is at least 10-12 characters long it will not be brute forced. Even with a
user name and password of only nine characers here's the math:

There are this many possible user names:
84,590,643,846,578,176
There are also this many possible passwords:
84,590,643,846,578,176

To successfully hack the site by brute force, the hacker
has to guess a valid combination of username and password.
To get the number of possible combinations he would have
to try, we multiply the number of usernames he has to try
by the number of passwords for each one:
7,155,577,026,378,634,231,908,944,079,486,976

That's a huge number, of course. How long would it take to brute force that?

113,450,929,515,135,626,457,207 years - time to brute force.
13,700,000,000 years - Age of the universe, since Big Bang.
65,000,000 years - time since dinosaurs


So if God had started trying to brute force your site at the same time that
he created the universe, His progress bar on his brute force software still
wouldn't have hit 1%. The above math assumed he tries one combination
per second. Even trying a hundred combinations per second, it'll still take
this many years:
1,134,509,295,151,356,264,572
That's still longer than the age of the universe, so unless you expect your
site to be a around a lot longer than the universe, you don't need any
software that's being promoted to protect that directory from brute force.
It would be a waste of money. It you WANT such protection, we can help
you, and Strongbox is quite affordable, but you don't need it in this case,
not for brute force protection.


Another type of attack related to brute force is a "dictionary attack". That's
where it's important that you said you'd choose a good password. If you
chose a crappy password, like "admin" or "password" you'd need to get
some protection, and really should also get a clue. But you specifically said
"if I choose a good long password", in which case you need not be worried
about a dictionary attack. One thought that helps to choose a good
password is to stop calling it a password and think "pass phrase" instead.
Something like "Living with quinns phone, Ray" isn't going to fall to dictionary
attack (or brute force). So you do not need to buy, or lease, any special
software if you choose a good long pass phrase. Our software, like others,
is useful mainly when you have members log in. Members don't choose
good long pass phrases.

Since it won't fall to brute force or dictionary attack, what's left is social
engineering (tricking you into telling someone) or cracking the password
file. No software will prevent you from telling your password, that's just
a matter of being careful. Because password files by default use encryption
from 1974, cracking the password file is a real possibility and that's how
many sites get hacked. Additionally, the default 1974 style encryption,
called "DES", actually uses only the first eight characters of your password,
so that good long password you chose it silently turned into a short weak one.
ONLY our system takes care of that encryption, which is the only real issue you have.
You don't need brute force protection software, you just need an encrpytion upgrade.



Only our
__________________
Ray Morris
support@bettercgi.com
Strongbox/Throttlebox & more
TXDPS #A14012
raymor is offline   Reply With Quote