Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
RE: RE: looking for a webapp bruteforce video for non-techies

Date: Tue Jun 03 2008 - 11:38:50 CDT

> -------- Original Message --------
> Subject: RE: looking for a webapp bruteforce video for
> non-techies
> From: "Martin O'Neal" <martin.onealcorsaire.com>
> Date: Tue, June 03, 2008 5:01 pm
> To: "Robin Wood" <dninjagmail.com>, <webappsecsecurityfocus.com>,
> "pen-test" <pen-testsecurityfocus.com>
> > It didn't help that the password was only 5
> > characters!
> That may not actually be such a bad password (on balance and in
> context). Sure it is a dictionary/leet word variant, but five
> characters actually carry plenty of entropy (if mixed case and numerics
> are also used). However, if you have an authentication mechanism that
> doesn't lock out an account and *allows* brute forcing, it doesn't
> really matter how strong the password is; given enough
> universe-lifetimes an attacker will always guess it eventually.

I saw one setup where I could recover three quarters (about four thousand) of one set of passwords on a Celeron 2GHz in under an hour. Another set of passwords were forced to 4-digits (insane, I know), and due to the number of users, each would share his/her password with about 4 other people.

The point is here, you wouldn't necessarily break any per-user lockout limits, because you could take thirty minutes looping over the entire userbase with the same password, then start again and still get a good number of cracks.

So, definitely depends on the size of your userbase and whether they can be effectively enumerated. Even so, I wouldn't regard any dictionary word with one character tweaked as secure these days.


www.systemstates.net - penetration test / IDS / incident response

This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides