tag:blogger.com,1999:blog-6927930273522247223.post2984117925665142792..comments2011-12-04T20:51:25.453-08:00CurlyFrieshttp://www.blogger.com/profile/12360893120629347046noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-6927930273522247223.post-8360002638384684232008-10-25T23:05:00.000-07:002008-10-25T23:05:00.000-07:00This comment has been removed by the author.Robinhttp://www.blogger.com/profile/15367277279623975538noreply@blogger.comtag:blogger.com,1999:blog-6927930273522247223.post-41155978293001625052008-10-25T16:53:00.000-07:002008-10-25T16:53:00.000-07:00Undoubtedly.OnionRingshttp://www.blogger.com/profile/17100946140815735171noreply@blogger.comtag:blogger.com,1999:blog-6927930273522247223.post-50010835841449231102008-10-25T14:31:00.000-07:002008-10-25T14:31:00.000-07:00Well that's all manner of creepy...CurlyFrieshttp://www.blogger.com/profile/12360893120629347046noreply@blogger.comtag:blogger.com,1999:blog-6927930273522247223.post-66747818646982949922008-10-25T11:52:00.000-07:002008-10-25T11:52:00.000-07:00I think I know who you are finally!Robinhttp://www.blogger.com/profile/15367277279623975538noreply@blogger.comtag:blogger.com,1999:blog-6927930273522247223.post-55169785735110940192008-10-24T16:36:00.000-07:002008-10-24T16:36:00.000-07:00I can understand why you might be against perma-bans. In fact truly permanent bans are rarely useful, because eventually they will become redundant or ineffective. Generally for perma-bans you should substitute in a time period which is sufficiently long to deter the trolls and sufficiently long to make brute forcing a password infeasible. This might be a day, week, month or year.<BR/><BR/>I politely disagree with your comments on locking, though. Even an attacker who hits many accounts in an attempt to break in will be effectively stopped by account locking. Unless of course each of your users has the same password, in which case you've got a much bigger security problem at hand. If you're worried about the legitimate user being inconvenienced, you could always send them an automatically generated email with a url containing a unique 'unlock code' which they can use.<BR/><BR/>As for the cookie situation, I think the best solution is to use two cookies. The first one is your session cookie, which for most people will be the default PHPSESSID cookie. For most people the security of this cookie lies in the statistical improbability of picking the same random number as another person in a very large key space. If this isn't enough for you, you could easily override the default session cookie and cryptographically tie the session id to the username and password (e.g. COOKIE{ sessionid, hash(sessionid, uname, password) } ). The session cookie becomes reasonably secure, because the sessionid changes regularly. The second cookie is your semi-permanent cookie, which may equate to a 'Remember Me' checkbox on your login. If a session cookie is not available you can fall back to this cookie. However, you should treat authentication through this cookie as a log in attempt and apply the same restrictions and safeguards as your standard login screen.<BR/><BR/>-NickNickhttp://www.blogger.com/profile/17455559703067826720noreply@blogger.comtag:blogger.com,1999:blog-6927930273522247223.post-33578273475452004082008-10-24T03:27:00.000-07:002008-10-24T03:27:00.000-07:00I'm not a fan of perma-bans. I use Tor for all my related activity, and I know a number of nodes have been banned due to abuse. Understandable, but I sometimes need to change identities multiple times before finding an IP that I can use.<BR/><BR/>Similarly, I don't know that locking accounts is helpful. If an attacker is trying to access a particular account, yes, but there's nothing to prevent them from making attacks on multiple accounts in sequence if they're simply looking for a way in.<BR/><BR/>Another possible consideration would be a potential attack via cookies. I don't know how common this is, but an attacker could conceivably repeatedly send cookies with different passwords/sessions until they find one that the site will accept. Preventing this may be a little more involved.CurlyFrieshttp://www.blogger.com/profile/12360893120629347046noreply@blogger.comtag:blogger.com,1999:blog-6927930273522247223.post-4632047661807635292008-10-23T17:01:00.000-07:002008-10-23T17:01:00.000-07:00Just to add to your 'multiple login attempts' advice, I'd suggest that you lock those specific accounts temporarily, in addition to an IP ban.<BR/><BR/>The reason is quite simple: a sophisticated attacker is going to be tied to neither his IP address nor his cookies (as you've already pointed out). Therefore, the safest route is generally to temporarily lock out the entire account.<BR/><BR/>If the legitimate user comes along, they may be locked out, but they will also be alerted to the fact that someone is trying to access their account, and handle it accordingly.<BR/><BR/>Note that the IP ban is still important, as without it you give an attacker an easy way to lock everyone out their accounts.<BR/><BR/>Further to this, you should provide a mechanism through a separate interface that allows you to unlock all accounts. You should also be logging all 3-attempt failures, and start perma-banning the IP addresses which appear more than a couple of times.Nickhttp://www.blogger.com/profile/17455559703067826720noreply@blogger.com