Protecting against brute force password attacks
151 views
Skip to first unread message
Jørn Wildt
Jan 23, 2013, 7:32:19 AM1/23/13
to api-...@googlegroups.com
I am wondering what others are doing to protect their APIs against brute force password guessing attacks? Both applied to HTTP Basic authentication (username/password) as well as more sophisticated protocols like OAuth1 or OAuth2 JWT (sending hash of username + password + nounce + ...) - not it should make any difference against password guessing.
The best solution I have found so far is to allow a fixed number of failed attempts per username per timespan - effectively rate limiting the attack per username.Other?
Mike Kelly
Jan 23, 2013, 7:57:05 AM1/23/13
to api-...@googlegroups.com
their username is known.
Cheers,
M
Jørn Wildt
Jan 23, 2013, 8:02:11 AM1/23/13
to api-...@googlegroups.com
> That strategy will work, but does expose a user to DoS attacks if
> their username is known.
> their username is known.
Yes, that's why I am looking for better solutions ... if any exists.
/Jørn
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group, send email to api-craft+...@googlegroups.com.
Visit this group at http://groups.google.com/group/api-craft?hl=en.
Mike Kelly
Jan 23, 2013, 8:54:05 AM1/23/13
to api-...@googlegroups.com
You could introduce a time delay that increases after every failed attempt
Cheers,
M
--
Mike
http://twitter.com/mikekelly85
http://github.com/mikekelly
http://linkedin.com/in/mikekelly123
Cheers,
M
Mike
http://twitter.com/mikekelly85
http://github.com/mikekelly
http://linkedin.com/in/mikekelly123
Enrique Amodeo
Jan 23, 2013, 9:09:16 AM1/23/13
to api-...@googlegroups.com
You could use BCRYPT or PBKDF2 as password hasher algorithm to check the password in the server side. Both can be tuned to be expensive enough to compute to avoid brute force attacks. For example, you can configure this algorithms to require 500ms of CPU time to compute the hash, this way the attacker can only check 2 passwords per second at most.
Of course you should check the "strength" of the password at user creation time.
But all these are implementation detail, not part of the API
Cheers,
Enrique Amodeo
sune jakobsson
Jan 24, 2013, 1:15:13 AM1/24/13
to Enrique Amodeo, api-...@googlegroups.com
You need to include the source IP address into the equation as well.
Sent from my Windows Phone
Sent from my Windows Phone
From: Enrique Amodeo
Sent: 23.01.2013 15:09
To: api-...@googlegroups.com
Subject: Re: [api-craft] Protecting against brute force password attacks
Jørn Wildt
Jan 24, 2013, 2:16:55 AM1/24/13
to api-...@googlegroups.com
On Thu, Jan 24, 2013 at 7:15 AM, sune jakobsson <sune.ja...@gmail.com> wrote:
You need to include the source IP address into the equation as well.
Hmmm, not sure about that. How?
If you only allow a specific number of failed logins per time frame for each IP address then you open up for a distributed brute force attack where attackers can freely try the same account as many times per second as they have IP numbers available. Or am I missing something here?
/Jørn
sune jakobsson
Jan 24, 2013, 7:30:39 AM1/24/13
to api-...@googlegroups.com
Unless some elaborate DDoS is in progress repeated failed logins from
the same IP should increase the retry timer.
the same IP should increase the retry timer.
Reply all
Reply to author
Forward
0 new messages