Password Protecting a Directory

gmr324 · 2009-12-01, 09:23 AM

Quote:

You need a script that tracks access and stops it. If you just use htaccess, then the hacker can just keep hitting it with a brute
force until they find the right user/pass combo's. A script would block them after x attempts and make it tougher (not impossible).

This is a very good point. In fact, with Phantom Frog, we offer a Brute
Force Attack Protection feature. Too many 401 errors on an IP
address, will get the IP address blocked. If the ip address has been
associated with brute force, we remember/block the Ip address. It
doesn't matter whether there were 10K attempts or 5k attempts from
that Ip address ... it's IP address we block.

The other key to stopping the brute force attack is this: if the do get
a password Phantom Frog catches the abused password almost
immediately using High-Resolution Geo-IP tracking .... pretty soon the
hackers get frustrated and go somewhere else. Geo-IP tracks all
accesses to the members area down to the city level. We offer a free
trial of Geo-IP Pass Abuse Detection.

This is in addition to our Automated Member Support (AMS) feature
which provides 24/7 uninterrupted access to legit members and none to
hackers.

Thanks

George

raymor · 2009-12-01, 12:39 PM

It might be worth rephrasing what I said above since there are some
comments that may be unclear or misleading because the respondents
perhaps didn't pay close attention to your question. As you may know, we
sell the leading security system to protect you from brute force, but you do
NOT need to buy our product or any other, based on what you've said.
It sounds like your situation is one where you really don't need to worry
about brute force, probably, so don't let any scare tactics in sales pitches
you may come across confuse you. Although more sales for us would be
great, we do NOT want to sell you something you don't need.

That's based on your question in your initial post - "assuming I choose a
good long password ... ". That tells me that it's just you accessing it, we're
not talking about your members' area or another highly advertised URL.
In that case, and assuming you choose a password, or better pass phrase,
that is at least 10-12 characters long it will not be brute forced. Even with a
user name and password of only nine characers here's the math:

There are this many possible user names:
84,590,643,846,578,176
There are also this many possible passwords:
84,590,643,846,578,176

To successfully hack the site by brute force, the hacker
has to guess a valid combination of username and password.
To get the number of possible combinations he would have
to try, we multiply the number of usernames he has to try
by the number of passwords for each one:
7,155,577,026,378,634,231,908,944,079,486,976

That's a huge number, of course. How long would it take to brute force that?

113,450,929,515,135,626,457,207 years - time to brute force.
13,700,000,000 years - Age of the universe, since Big Bang.
65,000,000 years - time since dinosaurs

So if God had started trying to brute force your site at the same time that
he created the universe, His progress bar on his brute force software still
wouldn't have hit 1%. The above math assumed he tries one combination
per second. Even trying a hundred combinations per second, it'll still take
this many years:
1,134,509,295,151,356,264,572
That's still longer than the age of the universe, so unless you expect your
site to be a around a lot longer than the universe, you don't need any
software that's being promoted to protect that directory from brute force.
It would be a waste of money. It you WANT such protection, we can help
you, and Strongbox is quite affordable, but you don't need it in this case,
not for brute force protection.

Another type of attack related to brute force is a "dictionary attack". That's
where it's important that you said you'd choose a good password. If you
chose a crappy password, like "admin" or "password" you'd need to get
some protection, and really should also get a clue. But you specifically said
"if I choose a good long password", in which case you need not be worried
about a dictionary attack. One thought that helps to choose a good
password is to stop calling it a password and think "pass phrase" instead.
Something like "Living with quinns phone, Ray" isn't going to fall to dictionary
attack (or brute force). So you do not need to buy, or lease, any special
software if you choose a good long pass phrase. Our software, like others,
is useful mainly when you have members log in. Members don't choose
good long pass phrases.

Since it won't fall to brute force or dictionary attack, what's left is social
engineering (tricking you into telling someone) or cracking the password
file. No software will prevent you from telling your password, that's just
a matter of being careful. Because password files by default use encryption
from 1974, cracking the password file is a real possibility and that's how
many sites get hacked. Additionally, the default 1974 style encryption,
called "DES", actually uses only the first eight characters of your password,
so that good long password you chose it silently turned into a short weak one.
ONLY our system takes care of that encryption, which is the only real issue you have.
You don't need brute force protection software, you just need an encrpytion upgrade.

Only our

2009-12-01, 12:39 PM	#2
raymor The only guys who wear Hawaiian shirts are gay guys and big fat party animals Join Date: Jan 2004 Posts: 178	It might be worth rephrasing what I said above since there are some comments that may be unclear or misleading because the respondents perhaps didn't pay close attention to your question. As you may know, we sell the leading security system to protect you from brute force, but you do NOT need to buy our product or any other, based on what you've said. It sounds like your situation is one where you really don't need to worry about brute force, probably, so don't let any scare tactics in sales pitches you may come across confuse you. Although more sales for us would be great, we do NOT want to sell you something you don't need. That's based on your question in your initial post - "assuming I choose a good long password ... ". That tells me that it's just you accessing it, we're not talking about your members' area or another highly advertised URL. In that case, and assuming you choose a password, or better pass phrase, that is at least 10-12 characters long it will not be brute forced. Even with a user name and password of only nine characers here's the math: There are this many possible user names: 84,590,643,846,578,176 There are also this many possible passwords: 84,590,643,846,578,176 To successfully hack the site by brute force, the hacker has to guess a valid combination of username and password. To get the number of possible combinations he would have to try, we multiply the number of usernames he has to try by the number of passwords for each one: 7,155,577,026,378,634,231,908,944,079,486,976 That's a huge number, of course. How long would it take to brute force that? 113,450,929,515,135,626,457,207 years - time to brute force. 13,700,000,000 years - Age of the universe, since Big Bang. 65,000,000 years - time since dinosaurs So if God had started trying to brute force your site at the same time that he created the universe, His progress bar on his brute force software still wouldn't have hit 1%. The above math assumed he tries one combination per second. Even trying a hundred combinations per second, it'll still take this many years: 1,134,509,295,151,356,264,572 That's still longer than the age of the universe, so unless you expect your site to be a around a lot longer than the universe, you don't need any software that's being promoted to protect that directory from brute force. It would be a waste of money. It you WANT such protection, we can help you, and Strongbox is quite affordable, but you don't need it in this case, not for brute force protection. Another type of attack related to brute force is a "dictionary attack". That's where it's important that you said you'd choose a good password. If you chose a crappy password, like "admin" or "password" you'd need to get some protection, and really should also get a clue. But you specifically said "if I choose a good long password", in which case you need not be worried about a dictionary attack. One thought that helps to choose a good password is to stop calling it a password and think "pass phrase" instead. Something like "Living with quinns phone, Ray" isn't going to fall to dictionary attack (or brute force). So you do not need to buy, or lease, any special software if you choose a good long pass phrase. Our software, like others, is useful mainly when you have members log in. Members don't choose good long pass phrases. Since it won't fall to brute force or dictionary attack, what's left is social engineering (tricking you into telling someone) or cracking the password file. No software will prevent you from telling your password, that's just a matter of being careful. Because password files by default use encryption from 1974, cracking the password file is a real possibility and that's how many sites get hacked. Additionally, the default 1974 style encryption, called "DES", actually uses only the first eight characters of your password, so that good long password you chose it silently turned into a short weak one. ONLY our system takes care of that encryption, which is the only real issue you have. You don't need brute force protection software, you just need an encrpytion upgrade. Only our __________________ Ray Morris support@bettercgi.com Strongbox/Throttlebox & more TXDPS #A14012