Brute Force Attack Prevention Mistake 2: Allowing Weak Passwords
Leave a CommentPerforming a brute force attack is highly dependent on time and resources. Your main goal in developing brute force prevention is to protect your users by increasing the amount of time and resources it takes to brute force one of your user’s passwords. With this being said, one of the largest mistakes is allowing your users to choose weak passwords.
The easiest way to shed light on this topic is for us to step into the shoes of the attacker. We will choose a weak password and perform a brute force attack ourselves. I will be using the following tools:
I will be using a .htpasswd file which uses Traditional DES for a very basic example. The first step is to use the above generator to create the file that we will try too brute force. I chose the below credentials:
Username: John
Password: campus
As you can see, “campus” is a dictionary word and would be considered a weak password. After entering in the above credentials into our .htpasswd generator we will get the following line.
John:CR4qxXM2sfM.Y
We will now open up notepad, paste in the above line, and save it as “credentials.txt”. Keep in mind that you may get a different result due to the nature of Traditional Des. Before we can continue we need to make sure that the John The Ripper Windows Binaries have been extracted and that we know the directory of the executable (john-386.exe). We will also need to extract the Large Dictionary word list (dic-0294.txt) above and make sure that we know its location . Once we have this completed we are ready to install FSCrack and point it to the location of the files. See below:
We are now ready to start the brute force attack. We do not need to check any of the available options so we simply click “Crack” to receive the below results.
The above results show that we were able to brute force the password in less than 1 second. If this was a remote password crack we would expect for this attack to take a little longer, however it would still be extremely quick. This is proof that allowing weak passwords is a mistake.
Solution: Implement a password policy that forces your users to choose strong passwords. A strong password will include the following:
- Alphanumeric Characters (containing letters and numbers)
- more than 6 digits, the more the better
- special characters and punctuation
- lowercase and uppercase letters
By implementing a password policy that enforces the above password characteristics, you will increase the amount of time and resources that it takes to brute force one of your user’s password. It will turn the brute force time of 1 second into days, months, years, or even thousands of years depending on the password complexity and length. You will then implement brute force prevention to make sure that the attacker doesn’t get the amount of time needed to perform the attack.
Brute Force Attack Prevention Mistake 1: Too Much Information (TMI)
Comments(5)Before you can begin developing your brute force prevention system you must first make sure that your authentication system isn’t working against you. Many authentication systems give too much information (TMI) when responding to an invalid login attempt. For example, let say a user enters in the following credentials.
Username: john.doe
Password: bl@hbl@h
Your authentication system searches the user table for a user with a username equal to “john.doe” so that you can retrieve the password hash for comparison. Your system quickly discovers that this username does not exist in the system so you give back a response like “Invalid Username” or “Username Does Not Exist”. This is a good example of giving too much information (TMI). Why would this be TMI?
The goal of brute force is to figure out a valid username and password. This means that that one must first have a valid username before making attempts at the password. If your authentication system responds back “Invalid Username” or “User Name Does Not Exist” then the person/script/tool performing the brute force knows to try another username. So then they try another username and receive the same response. They try one more username and then they receive the response “Invalid Password” (TMI once again). The new response tells them that they have successfully found a valid username so they can move on to brute forcing the password. Your authentication system has given the user too much information and now you have helped them potentially brute force one of your user’s credentials.
Solution: Keep it Simple (KIS)! Your authentication system should respond to every invalid login attempt with the same response. Your response should not communicate specifics. The goal of the response is to inform the user that the username and password they provided was not valid and to try again. By using the same response for ALL invalid login attempts, you are telling the user to try again without helping Mr. Malicious brute force your user’s credentials. Some good example responses are below:
- Invalid Username or Password
- Username and Password do not match
- Invalid Credentials. Please try again.
Brute Force Attack Prevention Mistakes
Leave a CommentOver the next few weeks I am going to be writing a series on Brute Force Attack Prevention Mistakes. When developing a website that contains sensitive user information, it is absolutely vital that you implement brute force attack prevention to mitigate the risk of a brute force attack on your user’s credentials. Developing brute force attack prevention for your public website may seem like an easy task, however it is very easy to make a development mistake that will drastically decrease the level of protection. In this series I hope to reveal some of these common mistakes. Lets kick this series off with some reading material for those of you that are not familiar with brute force attacks and other relative information.
Inside Defygo: Email Encryption
As some of you know, I developed (with a partner) an Identity Protection suite called Defygo and it is absolutely free to the public. Some of you may be using it, which I hope you are. Some of you probably downloaded it ,checked it out, and never used it again. Others are simply wondering what the heck Defygo is and how can it be used.
I am going to use some spare time and a small amount of blog space to introduce you to some of the many features that Defygo has to offer. If you search the net for Defygo you will see that it has been dubbed a mobile password vault. In reality, the password Vault is one of about 4 features that Defygo has to offer. Today, I will introduce to you the email encryption feature of Defygo.
Those of you that have ever used Public/Private key email encryption know that most of the applications such as PGP are difficult and hard to use for the common user. Since applications such as this are not easy for the non-tech savvy crowd, email encryption hasn’t really taken off in the public sector. Defygo combines RSA 1024 bit public/private key encryption with the buddy/pal system that we have all grown to love in instant messaging systems. Once you have added a pal and they have accepted your invitation, you can click on their name, type an email, and send it encrypted to them. You don’t have to manage a key ring of any kind. You simply manage your contact list and Defygo keeps up with all your keys in the background in a way that is completely transparent to the user.
Below is an encrypted message that I created to send to one of my pals. This message can be copied into an email or you can directly send the message using the built in smtp support. If you are one of my pals you may want to try decrypting the below message. Who knows? It could be to you…And if it isn’t to you, I wish you luck on breaking the encryption.
Do Southern Baptist Believe in Predestination?
Some of you know that I am an ordained minister of the Southern Baptist Convention. From my recent post you can see that I have expressed my belief in God’s predestination and have grown to accept it as the truth. The question I have asked myself and have pondered is, “Do Southern Baptist Believe in Predestination?” My personal opinion was that some do and some don’t and that it varied from one congregation to the next. This question came up again recently so I have taken some time to do a little research to try to get a better answer. My first step was to find the Southern Baptist website and read their definitions of the faith. I was able to find the Baptist Faith and Message page on the SBC website. Below are a few excerpts:
God’s Purpose of Grace
Election is the gracious purpose of God, according to which He regenerates, justifies, sanctifies, and glorifies sinners. It is consistent with the free agency of man, and comprehends all the means in connection with the end. It is the glorious display of God’s sovereign goodness, and is infinitely wise, holy, and unchangeable. It excludes boasting and promotes humility.
All true believers endure to the end. Those whom God has accepted in Christ, and sanctified by His Spirit, will never fall away from the state of grace, but shall persevere to the end. Believers may fall into sin through neglect and temptation, whereby they grieve the Spirit, impair their graces and comforts, and bring reproach on the cause of Christ and temporal judgments on themselves; yet they shall be kept by the power of God through faith unto salvation.
From the above it is seems that Southern Baptist believe in the “Doctrine of the Elect” and the “Eternal Security of the believer”. They believe that God’s elect are his chosen children that he regenerates (gives them a new heart) according to his purpose and sovereign goodness. At this point it is still not clear and thus I will bring up another reference in the SBC Baptist faith and message:
Salvation
Salvation involves the redemption of the whole man, and is offered freely to all who accept Jesus Christ as Lord and Savior, who by His own blood obtained eternal redemption for the believer. In its broadest sense salvation includes regeneration, justification, sanctification, and glorification. There is no salvation apart from personal faith in Jesus Christ as Lord.
A. Regeneration, or the new birth, is a work of God’s grace whereby believers become new creatures in Christ Jesus. It is a change of heart wrought by the Holy Spirit through conviction of sin, to which the sinner responds in repentance toward God and faith in the Lord Jesus Christ. Repentance and faith are inseparable experiences of grace.
Repentance is a genuine turning from sin toward God. Faith is the acceptance of Jesus Christ and commitment of the entire personality to Him as Lord and Savior.
B. Justification is God’s gracious and full acquittal upon principles of His righteousness of all sinners who repent and believe in Christ. Justification brings the believer unto a relationship of peace and favor with God.
C. Sanctification is the experience, beginning in regeneration, by which the believer is set apart to God’s purposes, and is enabled to progress toward moral and spiritual maturity through the presence and power of the Holy Spirit dwelling in him. Growth in grace should continue throughout the regenerate person’s life.
D. Glorification is the culmination of salvation and is the final blessed and abiding state of the redeemed.
From the above I again see no reason to believe that Southern Baptist do not believe in predestination. We see first that “Salvation is offered freely to all who accept Jesus Christ”. Keep in mind that it does not say that “Salvation is offered freely to all men”. Salvation is offered to “all who accept” and those that accept are his “elect”. Secondly, we see that “Regeneration” is the work of “God’s Grace” and that the change of heart (regeneration) is “wrought by the holy spirit”. From this I believe that it is saying that “Regeneration” is credited to God and not man.
It seems as though a person who believes what I believe could read the above passages from the Baptist Faith and Message and believe that Southern Baptist include predestination in their doctrine. However, I can see how a person that does not believe in predestination could read it and interpret it differently. After reading the Baptist Faith and Message in its entirety I think the below is an unbiased interpretation in regards to the SBC view of predestination:
The Southern Baptists believe that God’s children are his elect. And those that are his elect he regenerates, justifies, and brings them into salvation. His elect are predestined to be his children and he chooses his children based on his foreknowledge of their actions and decisions. His children (ultimately those that choose him), once regenerated can never loose their salvation.
So the question is, “Do Southern Baptist Believe in Predestination?” I think that Southern Baptist indeed believe in this doctrine, however they believe that God predestines based on his foreknowledge of the actions and decisions of each human. It says under the section “God” in the Baptist faith and message that “God is all powerful and all knowing; and His perfect knowledge extends to all things, past, present, and future, including the future decisions of His free creatures.” Ultimately, this is saying that God’s predestination is based on those that in their freedom will make the decision to accept Christ.
So “Yes”, Southern Baptist believe in Predestination and the “elect”, but they do not believe in “Unconditional Election” which is one of the 5 points associated with Calvinism. Unconditional election states that God’s children were chosen by him before the foundation of the world and it was not based on the merit of man. It was not based on his foreknowledge of their actions or decisions. It was based solely on God’s divine purpose and therefore it is “unconditional”.
So the better question is, “Do Southern Baptist Believe in Calvinism?” It is safe to say, within the last 100 years, the majority of Southern Baptists are not Calvinist. We could also determine this since the current Baptist Faith and Message does not support all 5 points of Calvinism. This does not mean that there are not believers of Calvinism in the Southern Baptist Convention. I found an article at the Center for Baptist Studies website and it states, “Most of the men who founded the Southern Baptist Convention in 1845 were Calvinists. However, for the last century the majority of Southern Baptists have not been Calvinists.” It goes on to say that Calvinism is being re-introduced so to speak in many Southern Baptist churches. There are many great Baptist teachers that are Calvinist such as John MacArthur Jr. and John Piper. There are campus organizations that are effectively teaching Calvinism such as Campus Outreach and Reformed University Fellowship.
So my final conclusion is that my original theory was right. Some Southern Baptist believe in predestination and some don’t. Some believe in the Predestination as described in Calvinism and some do not. It is really up to the individual and the congregation. I can rest assure knowing that God’s truth is at work.
