Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Researchers Propose New Approach to Address Online Password-Guessing Attacks
Newest First  |  Oldest First  |  Threaded View
Eduardo R.
50%
50%
Eduardo R.,
User Rank: Apprentice
4/26/2019 | 1:50:14 AM
Interesting Read
Definitely something to look out for. Thanks for taking the time to write this article. Really learned a lot out of it.

 

-Eduardo R. - Sioux Falls <a href="https://www.siouxfallshomecleaning.com/">House cleaning services</a>
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/1/2019 | 8:24:11 AM
Re: Breadth vs. Depth
Did not think of that but some sites have about 5 increase time-out periods before locked.  And some are damn hard to get into anyway.  Social Security asked about 5 questions about old loans that I totally forgot about or were sold to different financial carriers.  Bad answers?  Locked for 24 hours.  Not easy to get into.  Let's also get rid of admin/admin accounts for starters and default device passwords - inclusive of printers.  Web hosts by printers is a great way to gain entry and an internal IP address.  There was a Google search string years ago that provided the internal page of Office Jet printers around the world!  With internal IP too.  Oh, that is an open door.  So passwords - make 'em complex and change every 3 months or even 2 better.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/27/2019 | 2:12:08 PM
Re: Breadth vs. Depth
3 might be rather stringent. There are times I can't get it right in 6 tries.

But one bit of advice I heard once was to have gradually increasingly long pauses/periods for each successive attempt. Need 5 tries to get your password right? No big deal. Need 3,000? Then you're obviously a bot and the login will be effectively DDoS'd.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/27/2019 | 1:32:09 PM
Re: Breadth vs. Depth
This may seem really basic  but account lockout periods work too.  3 attempts and the account is locked for, oh 15 or 20 min.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2019 | 8:13:11 PM
Breadth vs. Depth
At the same time, aren't breadth-first attacks more common insofar as attackers seek/prefer low-hanging fruit?

I suppose certain targets are juicier than others, but assuming all things being equal and you don't have a red dot on you, preparing against breadth-first attacks first seems like a good idea, no?


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41393
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
CVE-2021-41394
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.
CVE-2021-41395
PUBLISHED: 2021-09-18
Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username.
CVE-2021-3806
PUBLISHED: 2021-09-18
A path traversal vulnerability on Pardus Software Center's &quot;extractArchive&quot; function could allow anyone on the same network to do a man-in-the-middle and write files on the system.
CVE-2021-41392
PUBLISHED: 2021-09-17
static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API.