4

I am concerned about how does email services like Yahoo, Gmail, Hotmail etc provide security to their costumers and prevent their account from being compromised. For example, I have seen that if someone tries Brute Force Attack on Yahoo. After some attempts the account is blocked for some time. This gives rise to two problems,

  1. The account is anyhow going to be unblocked by the email service. So, can't the Brute Force Attack be continued? Isn't it dangerous for the security of the user?

  2. If the software attacking (say some Brute Force Attacking Program) is continuously attacking the email address, then the account is kept blocked and the user has to wait. Does the email service provide any other option if such a problem occurs?

AviD
  • 72,138
  • 22
  • 136
  • 218

3 Answers3

9

Gmail provides you with an out-of-band channel when logging from an unrecognized device! you can enable this two factors authentication feature so that every time you try to log in you have to provide an additional confirmation code that you get either from a phone call or just a text message. neither Yahoo, nor hotmail has already implemented this yet

Serge Innocent
  • 171
  • 4
5

The "block for some time" policy is a relaxation of an older policy which is "block until manual action from an authorized system administrator". That's what smartcards do, when they get too many wrong PIN codes. Permanent blocking is too harsh in a networked context, because it would allow anybody to block other people's accounts.

"Block for some time" still drastically lowers the rate of brute force attacks: if the system blocks for 10 minutes after 3 wrong passwords, the attacker will be able to try only 432 potential passwords per day -- thus, passwords of relatively low entropy can be tolerated.

If someone has a grudge against you and repeatedly blocks your account, then some other countermeasures are possible, such as blacklisting the IP of your enemy. If the bad guy uses a Distributed Denial of Service attack, with millions of zombie machines hard at work blocking your account, then you are hosed. Sorry. There is no good computer-based defense against that (classical police investigation work and SWAT teams can be efficient, though).

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Thanks alot for the answer. I was reading DDOS attack after reading your post. Can you please explain what is authentication request that the computer requests from the user? –  Aug 27 '11 at 17:59
0

Often, simply just set the timer of valid logins to about 3 seconds per login try will reduce any succesful chance of brute forcing an email account or any other login service.

psalomonsen
  • 1,054
  • 7
  • 7
  • 1
    Or the other popular one is doubling the timeout on each fail - the time rapidly gets so high that brute force is effectively impossible:-) – Rory Alsop Sep 05 '11 at 13:45
  • Didnt think about that, but yeah.. it will rule out any chance of bruteforcing unless using a botnet, but if you do the lock out pr account, it will be next to impossible :) – psalomonsen Sep 05 '11 at 14:17