5

After the hack of Mat Honan I studied my own laundry list of accounts I have at the numerous web sites I use. There is one fact that stands out:

Many of the websites severely restrict the size and character options of passwords.

Ironically, government and financial websites were the worst offenders. One government site restricted passwords to 6-8 alphanumeric characters. Some financial sites limited the size to 8 characters.

It seems that a try-every-possibility attack could be feasible unless the website implemented some kind of countermeasure. Countermeasures against this type of attack are discussed here and here.

I am left with the following question:

How can I determine whether a website somehow protects against a brute force attack on my password? (assume I can't create an anonymous account)

Google reveals some indication that there exists applications and libraries to mount a probative attack of my own, I'd rather not risk drawing attention or causing denial of service. It seems like there ought to be a less disruptive way of determining whether a countermeasure is implemented.

Follow on to address early answers:

  1. I'm not asking about protecting a web site I control. I am merely a user of the websites in question.
  2. The financial and government accounts that I have are not easily created. And definitely can't be created anonymously. Attempting to brute-force an account I use (whether anonymous or not) jeopardizes its availability for my use.
Community
  • 1
alx9r
  • 569
  • 4
  • 18
  • brute force was not how the account was compromised. –  Aug 09 '12 at 17:55
  • I assume you are referring to the Mat Honan reference. Clearly you didn't read my question carefully as I do not imply or state that Mat Honan was the target of a brute force attack. – alx9r Aug 09 '12 at 17:59

3 Answers3

4

THC-Hydra is one of the more mature online brute-forcing tools. However if you are testing brute force susceptibility of a specific application then just trying logging in a number of times, if they don't prompt you with a capthca then its vulnerable. If you clear your cookies and the captcha goes away, then its vulnerable.

rook
  • 46,916
  • 10
  • 92
  • 181
  • Aren't there other legitimate and less apparent ways than CAPTCHAs to protect against brute force attacks? – alx9r Aug 09 '12 at 18:06
  • @user115232 well an IP blacklist, but that is much weaker because you can have a list of proxy servers. That also should be tested. – rook Aug 09 '12 at 19:21
4

There are really only two ways to mitigate brute forcing online. You can look for both of them.

  1. Throttle. Does the website time you out after a few tries. Does it take a long time to respond to your requests (deliberately. Think incorrect password into SSH).

    I would be surprised if a website used the throttle of locking you out after a few tries. Assuming an attack had the entire list of usernames...they could potentially lock out all users.

  2. CAPTCHAs. Are they using a reCAPTCHA or something that is pretty annoying if you have too many tries? If the attacker really wants to .... he can outsource the captcha solving to africa or somewhere....but that requires high overhead.

  • How apparent is throttling? Should I be able to detect it without tools? – alx9r Aug 09 '12 at 19:41
  • 2
    Try to log in a bunch. Did they lock your account? Does it suddenly take a more notifiable amount of time? You got throttled. It should be very apparent. The same thing happens when you type in an incorrect password to login to SSH. It hangs for 3 seconds...and then tells you that you were wrong –  Aug 09 '12 at 20:19
  • Thanks @Rello3oT. That pretty well amswers mu question. I'd like to vote your answer up, but apparently my rep is too low. – alx9r Aug 09 '12 at 20:42
  • No worries. I appreciate being able to help. –  Aug 10 '12 at 17:39
-1

Get Tor and set it up, create a new account on the service you want to test (Google, Facebook, whatever, ...), then try to brute force it. Make sure brute forcing is performed through the Tor proxy (just like registration), but make sure you have a new Tor identity (different identity than when you created the account). For throw away email you can use http://mailinator.com .

Matrix
  • 3,988
  • 14
  • 25