Brute Force Protection

68 views
Skip to first unread message

ajk

unread,
Aug 15, 2010, 1:44:07 AM8/15/10
to Clipperz
Is there anything in place to prevent (or slow down for that matter) a
brute force attack on Clipperz accounts? Is this really reliable
enough for my Google Apps admin passwords and stuff like that? If
there is protection, please describe it. Also, could brute force be
used as a Denial of Service method by locking the account?

Tim Donovan

unread,
Aug 15, 2010, 3:35:06 AM8/15/10
to adam...@gmail.com, Clipperz
I don't think it does have protection. Use an appropriate password policy for your Clipperz login password.

Regards,


--
You received this message because you are subscribed to the Google Groups "Clipperz" group.
To post to this group, send email to clip...@googlegroups.com.
To unsubscribe from this group, send email to clipperz+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/clipperz?hl=en.


giulio...@gmail.com

unread,
Aug 16, 2010, 12:43:29 PM8/16/10
to adam...@gmail.com, fanb...@gmail.com, Clipperz
Hello,

Clipperz has both offline and online brute force attach protections.

For offline protection, we do not provide any way to spot the relevant
records given a username. So if you want to try to decrypt someone
data, you need to try to decrypt all Clipperz data. This may not be a
huge protection given the limited number of users we have, but it
would be quite trivial to add fake data to just improve this kind of
protection.

For online protection, we have adopted hashcash as a way to trottle
the number of requests a client can do simply raising the cost
required to be payed before being able to submit any request.
At the moment this cost is always fixed (low, but not zero), as we
didn't have enough resources to write the code to dynamically tune it
(based on client requests and overall system load), but it is already
fully integrated into all the communication protocol.

These "protections" allow us to completely avoid also other annoying
anti-dos systems, like captcha.

Hope this answers some of your concerns.

Regards,

Giulio Cesare

PS: to all forum readers, there are still lots of unanswered thread
pending. We have been very busy, but these messages are still in our
pending queue and we will try to address them as soon as possible.

Juan Javier Triff Cabanas

unread,
Jan 17, 2019, 3:57:32 PM1/17/19
to Clipperz
Giulio:

First of all: thanks for the great product and app and concept.

On this matter, I'm concerned, for instance, what about if someone get hands on my offline copy??
How is brute force prevention on that. An scenario could be this one:

1. get hands on offline copy
2. code a brute force attack using some of the browser drivers (very used in testing. I used chrome-driver myself to automate testing in my web apps)
3. open the offline html with the puppet/controlled browser
4. try to brute force the password knowing the user already, perhaps because the attacker knows my email and they match

Is there any chance to survive to that? cause I've been typing several wrong passwords and every time the offline copy responds as fast as the first one. No delay or anything.

The online copy is not too slow either. I think that knowing a users name brute force could take a while but not impossible. Though, let me say this straight: I'm not willing to spend time proving this theory :)

Thanks again,

JJ

Asher Baker

unread,
Jan 18, 2019, 5:14:36 AM1/18/19
to Clipperz
Hi JJ,

The offline copy includes a complete copy of your encrypted account data, so there is no need to attack the HTML login form at all in this scenario - so there is no place to implement traditional rate limiting.

The protection in the offline copy comes from the strength of your credentials (both your username and password could be long, high-entropy "passwords" for example) and the difficulty of the encryption in use.

For the latter, there are details on Clipperz' crypto algorithms here: https://clipperz.is/security_privacy/crypto_algorithms/

Best regards,
Asher

~~~~~
"Their heads are green, and their hands are blue,
      And they went to sea in a Sieve." - Edward Lear


To unsubscribe from this group and stop receiving emails from it, send an email to clipperz+u...@googlegroups.com.

To post to this group, send email to clip...@googlegroups.com.

giulio...@gmail.com

unread,
Jan 18, 2019, 7:34:21 AM1/18/19
to Asher Baker, Clipperz
Thanks Asher,

the precision of the answers you are providing on this forum is impressive.
I hope I will have a chance to return you some of the attention/care you are offering Clipperz users here.

Cheers,

Giulio Cesare

Juan Javier Triff Cabanas

unread,
Jan 24, 2019, 10:53:25 AM1/24/19
to Clipperz
Thanks to both of you.

Regards,

JJ
Reply all
Reply to author
Forward
0 new messages