Preventing Brute Force Attacks

Mike Acker Mike_Acker at charter.net
Tue Apr 19 11:35:00 CEST 2011


On 04/19/2011 04:13, gnupg-users-request at gnupg.org wrote:
> GnuPG Users <gnupg-users at gnupg.org>
>

(1) apply the Strike 3, you're out rule.  any password gate should apply
this rule: if the requester does not know the password and submits
repeated bad answers DISABLE ACCESS. Game over.

(2) Controlling Help Desk Problems

a) Secret questions are NOT a good idea as these facilitate guessing.
generally people will not be very good as writing obfuscated questions

b) Password management package could be a good idea. WE HAVE BEEN ASKING
INDUSTRY FOR THIS FOR YEARS AS "SINGLE PASSWORD".  You enter it ONCE:
when you log on.

c) TIMEOUT: a WRONG PASSWORD should CAUSE A DELAY.  wrong password: 1
sec delay before next try.  think what this does to a brute force
attacker which might need to run thousands of tries per second...

why is it we are always fussing over theoretical stuff instead of doing
basic stuff that would help us?

-- 
/MIKE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110419/0b9333e3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110419/0b9333e3/attachment.pgp>


More information about the Gnupg-users mailing list