My friend's foolproof brute force prevention technique

๐ŸŽ™๏ธ LinkDude80 ยท 619 points ยท Posted at 15:54:59 on April 3, 2015 ยท (Permalink)

1. We have our password stored in the database. Plaintext makes this easier
2. Cyberterrorists start their brute force attack with their list of passwords
3. Once we know the attack is happening we change our password to the first password that the terrorists guessed.
4. Now the terrorists guess our real password and get it wrong
...now we change our password back to the original password because we know the terrorists won't guess it again!
5) Profit!

ClockVapor ยท 220 points ยท Posted at 16:38:33 on April 3, 2015 ยท (Permalink)

Why don't we just add a boolean to the login logic to tell if the user is a hacker?

bool Login(string user, string pass, bool isHacker) {
    if (isHacker) return false;

    // plaintext for speed
    return (users[user].pass == pass);
}
IWentToTheWoods ยท 110 points ยท Posted at 16:54:44 on April 3, 2015 ยท (Permalink)

Just check the IP headers for the evil bit.

BAM5 ยท 22 points ยท Posted at 18:27:51 on April 3, 2015 ยท (Permalink)

I was so confused, then I saw the publishing date. Fucking brilliant.

ArgonWilde ยท 9 points ยท Posted at 14:01:57 on April 4, 2015 ยท (Permalink)

and this is why I loathe April Fools Day... Because no one ever clears up the shit it leaves behind on the internet...

edave64 ยท 40 points ยท Posted at 21:16:48 on April 3, 2015 ยท (Permalink)

The value is taken from an "Are you a hacker" checkbox on the login form.

TheSlimyDog ยท 9 points ยท Posted at 23:10:05 on April 3, 2015 ยท (Permalink)

Slightly relevant. But how do those "are you a human" checkboxes that I'm seeing in place of CAPTCHA work?

[deleted] ยท 21 points ยท Posted at 23:15:33 on April 3, 2015 ยท (Permalink)

[deleted]

flexmuzik ยท 7 points ยท Posted at 02:40:45 on April 4, 2015 ยท (Permalink)

I thought you were bullshitting until I googled this.

Kwyjibo08 ยท 4 points ยท Posted at 03:41:12 on April 7, 2015 ยท (Permalink)

Including amount of time taken to do the form and mouse movements. There are things that scripts don't do that humans do when filling out forms.

I've used a relatively simple captcha that works. I record the page request time on the server, then compare it to the time they submit the form back. Depending on the length of the form, it should take humans a number of seconds to complete. As long as the bots aren't targeting my site specifically to beat the captcha, this tends to work. Though Google's approach is much more fool proof.

[deleted] ยท 3 points ยท Posted at 15:55:00 on April 4, 2015 ยท (Permalink)

I imagine the idea is that a human's inconsistency is pretty straightforward, but it's really hard to get a bot to act like a human without ever repeating itself for a solid 10,000+ iterations straight (which is what you'd use a bot for)

jfb1337 ยท 1 points ยท Posted at 20:11:04 on April 15, 2015 ยท (Permalink)

Most robots won't be designed to tick them unless they are specifically targeting one site. Which if it's a small site, they probably won't do.

[deleted] ยท 22 points ยท Posted at 16:40:52 on April 3, 2015 ยท (Permalink)

This is flawless. So simple, BRB implementing this in my project

[deleted] ยท 6 points ยท Posted at 22:17:15 on April 3, 2015 ยท (Permalink)

But how will the hacker log into his own account? They have rights too.

edave64 ยท 9 points ยท Posted at 09:11:36 on April 4, 2015 ยท (Permalink)

We store in the database if a user is a hacker. On login, if the Person trying to login and the stored user are both hackers, the login function always grants access, skipping the password check, because we can assume that they will guess it anyway.

alienangel2 ยท 3 points ยท Posted at 22:39:56 on April 3, 2015 ยท (Permalink)

It's actually assumed by OP that this flag is available, or derivable from some heuristic anyway, since his algorithm only triggers "once we know the attack happening."

0hmyscience ยท 116 points ยท Posted at 16:59:44 on April 3, 2015 ยท (Permalink)

I like it how instead of using "hacker" he used "terrorist".

zyxzevn ยท 24 points ยท Posted at 19:13:33 on April 3, 2015 ยท (Permalink)

Send the drones!

TheSlimyDog ยท 12 points ยท Posted at 23:11:03 on April 3, 2015 ยท (Permalink)

The packets are reaching the White House! We need to destroy them as soon as possible. Launch attack now!

Slinkwyde ยท 5 points ยท Posted at 05:15:21 on April 4, 2015 ยท (Permalink)

Ok. I will launch a tack.

l_u_c_a_r_i_o ยท 5 points ยท Posted at 11:13:30 on April 9, 2015 ยท (Permalink)

Terrorists win.

[deleted] ยท 53 points ยท Posted at 16:20:27 on April 3, 2015 ยท (Permalink)

[deleted]

๐ŸŽ™๏ธ LinkDude80 ยท 135 points ยท Posted at 16:22:52 on April 3, 2015 ยท (Permalink)

They're just going to have to be patient. We all need to make room for security.

lechatron ยท 44 points ยท Posted at 21:06:15 on April 3, 2015 ยท (Permalink)

"I'm sorry, you have to wait your turn to attempt to brute force our servers."

[deleted] ยท 1 points ยท Posted at 08:56:04 on April 4, 2015 ยท (Permalink)

It's for your own safety!

RenaKunisaki ยท 17 points ยท Posted at 05:16:23 on April 4, 2015 ยท (Permalink)

"If your password is not working, try a instead."

[deleted] ยท 37 points ยท Posted at 17:09:27 on April 3, 2015 ยท (Permalink)

Holy shit, your friend might be the smartest human being alive

flarn2006 ยท 20 points ยท Posted at 20:17:31 on April 3, 2015 ยท (Permalink)

The first password they guessed was A? Better hope Twitch Plays Pokรฉmon didn't set the password.

ahanix1989 ยท 18 points ยท Posted at 17:34:34 on April 3, 2015 ยท (Permalink)

Why do they have a chalkboard eraser on a whiteboard?

civetservescoffee ยท 11 points ยท Posted at 23:14:11 on April 3, 2015 ยท (Permalink)

They work on whiteboards too. At least the one I have does.

ahanix1989 ยท 3 points ยท Posted at 23:51:18 on April 3, 2015 ยท (Permalink)

I hate that style. Terrible memories of it flipping and my fingertips on the chalkboard.... I absolutely hate that feeling

xdevient ยท 4 points ยท Posted at 14:46:54 on April 5, 2015 ยท (Permalink)

Asking the tough questions in absence of valuable ones...

manghoti ยท 17 points ยท Posted at 17:11:17 on April 3, 2015 ยท (Permalink)

http://tvtropes.org/pmwiki/pmwiki.php/Main/InsaneTrollLogic

GAMEchief ยท 12 points ยท Posted at 00:01:42 on April 4, 2015 ยท (Permalink)

Or just disable logins after X attempts.

RenaKunisaki ยท 14 points ยท Posted at 05:18:31 on April 4, 2015 ยท (Permalink)

But make it X attempts per IP, and have it still just return "incorrect password" instead of "logins disabled" so they don't catch on.

GAMEchief ยท 21 points ยท Posted at 06:32:10 on April 4, 2015 ยท (Permalink)

Just always display "incorrect password" regardless of whether or not it's correct.

sketchni ยท 9 points ยท Posted at 15:02:35 on April 4, 2015 ยท (Permalink)

When I started writing PHP, I was told to always return auth errors as "Incorrect email address or password".

The reason was "If you tell the user which one is correct, it gives an attacker specific advantage of gaining access to an account if they know it exists."

Was also told even if there were usernames being stored to use an email address for login because those are not displayed to the public usually.

RenaKunisaki ยท 2 points ยท Posted at 18:32:02 on April 4, 2015 ยท (Permalink)

Even when the actual account owner is trying to log in? Well that would make things simpler...

GAMEchief ยท 3 points ยท Posted at 19:05:02 on April 4, 2015 ยท (Permalink)

Yes, the only way we can really secure the account is to prevent anyone from logging into it.

For_Iconoclasm ยท 8 points ยท Posted at 17:10:37 on April 3, 2015 ยท (Permalink)

A genius idea, with impeccable penmanship!

recursive ยท 6 points ยท Posted at 20:45:53 on April 3, 2015 ยท (Permalink)

Maybe your friend should try writing with his other hand. It couldn't hurt.

codythomashunsberger ยท 22 points ยท Posted at 16:45:03 on April 3, 2015 ยท (Permalink)

I don't know enough about programming to say that this concept is complete garbage

amazing_rando ยท 53 points ยท Posted at 17:57:09 on April 3, 2015 ยท (Permalink)

Any security that relies on your technique being a secret (security through obscurity) is not actually secure. All other issues aside, if the attacker knows this is the technique being used, they can log into any account in two tries.

antihexe ยท 32 points ยท Posted at 20:46:35 on April 3, 2015 ยท (Permalink)

That's why you randomize what the password swaps to.

HOW CAN IT FAIL.

[deleted] ยท 7 points ยท Posted at 02:04:50 on April 4, 2015 ยท (Permalink)

[deleted]

bonafidebob ยท 10 points ยท Posted at 05:41:18 on April 4, 2015 ยท (Permalink)

The proper term is "optimism."

A pessimistic security engineer presumes they aren't perfect and screwed up the secure system somehow, so tells everyone how it works and offers a reward for breaking it, then fixes any flaws uncovered.

UnholyTeemo ยท 2 points ยท Posted at 03:11:02 on April 4, 2015 ยท (Permalink)

security.

djdanlib ยท 10 points ยท Posted at 16:52:49 on April 3, 2015 ยท (Permalink)

That's okay. You don't have to be a programmer to know that.

Jonno_FTW ยท 3 points ยท Posted at 12:43:04 on April 4, 2015 ยท (Permalink)

It fails on the 2nd brute force attempt.

HoneyVortex ยท 5 points ยท Posted at 21:20:12 on April 3, 2015 ยท (Permalink)

Terrorists are using dictionary attacks. Those things are heavy.

[deleted] ยท 5 points ยท Posted at 01:09:05 on April 4, 2015 ยท (Permalink)

Well it is easier to store the passwords in plain text. Its also easier if they can only be 5 alpha characters, and non caps sensitive. The genius is that the cyberterrorists ASSUME the the passwords are longer or are l33t

[deleted] ยท 8 points ยท Posted at 02:45:38 on April 4, 2015 ยท (Permalink)

[deleted]

0hmyscience ยท 6 points ยท Posted at 02:53:50 on April 4, 2015 ยท (Permalink)

Better yet, require that all users use the same password, so that you don't have to waste all that hard drive space storing individual passwords for each user.

grizzly_teddy ยท 11 points ยท Posted at 17:25:44 on April 3, 2015 ยท (Permalink)

Why is this in /r/shittyprogramming? THIS IS BRILLIANT!!

Otroletravaladna ยท 19 points ยท Posted at 18:26:21 on April 3, 2015 ยท (Permalink)

Brilliant until you can break it by attempting two consecutive times with the same password :)

causalNondeterminism ยท 8 points ยท Posted at 17:18:42 on April 3, 2015 ยท (Permalink)

actually, if the login function were synchronized and static, this could work. it wouldn't be particularly useful, but it would work.

mort96 ยท 17 points ยท Posted at 17:23:35 on April 3, 2015 ยท (Permalink)

Issue: you first have to know that someone is brute forcing. If we already know a login attempt is part of a brute force attack, the login attempt can just be stopped, without this password trickery.

RenaKunisaki ยท 3 points ยท Posted at 05:17:40 on April 4, 2015 ยท (Permalink)
function check_password(blah) {
    if(number_of_login_attempts_from_this_person > 10) return false;
    actually_check_password();
}
xdevient ยท 1 points ยท Posted at 14:48:25 on April 5, 2015 ยท (Permalink)

You say there's an issue? I guess you just want the terrorists to win

neonKow ยท 16 points ยท Posted at 17:21:33 on April 3, 2015 ยท (Permalink)

Only if by "working" you mean "breaking the entire application."

You're basically doing this:

checkPassword(password) {
    return false;
}
chesszz ยท 21 points ยท Posted at 17:38:33 on April 3, 2015 ยท (Permalink)

Yes, but only if the person logging in is a brute forcing terrorist! It's more like:

if(terrorist && brute_forcing){
    checkPassword(password){
    return false;
    }
}

The terrorist will keep trying ad infinitum, not knowing that you already foiled their plan. Such genius!

neonKow ยท 22 points ยท Posted at 17:41:33 on April 3, 2015 ยท (Permalink)

So you let in terrorists who are not brute-forcing?

I'm on to you, traitor.

ericanderton ยท 3 points ยท Posted at 01:31:55 on April 4, 2015 ยท (Permalink)

I get that it's tongue in cheek, but sometimes, hare-braned thought exercises like this yield fruit if you keep factoring it. By the time you implement the throttling logic needed to pull this (ridiculous algorithm) off, you could just, you know, reliably disallow logins from the attacker(s) altogether.

coneillcodes ยท 2 points ยท Posted at 23:49:43 on April 7, 2015 ยท (Permalink)

Instructions unclear, all ssh keys leaked

SimonWoodburyForget ยท 1 points ยท Posted at 22:39:54 on April 3, 2015 ยท (Permalink)

The only way this would work is if all your users where to never hack into each others account...

Slinkwyde ยท 3 points ยท Posted at 06:51:12 on April 4, 2015 ยท (Permalink)

*were

wOlfLisK ยท 0 points ยท Posted at 19:31:27 on April 3, 2015 ยท (Permalink)

Well... It's a nice idea but there's a ton of issues with it. Like, if you can tell there's a brute force attack happening, why change the password instead of just locking the account for an hour?

RenaKunisaki ยท 2 points ยท Posted at 05:19:48 on April 4, 2015 ยท (Permalink)

Because that prevents legitimate access to the account and lets anyone easily lock a bunch of accounts. Better to block the person who's doing the login attempts.