wolfiton

wolfiton

Password hacking - how to prevent?

Hey community,

After reading this https://hackernoon.com/20-hours-18-and-11-million-passwords-cracked-c4513f61fdb1

I thought i should share it with all of you and maybe find a solution to this potential problem.

My questions are:

Can this brute force attack be stopped?

If so how?

What is the best defense to prevent such an attack?

Also can a rate limiter prevent this penetration in the database?

Thanks and hope to hear your points of view on this.

Marked As Solved

danschultzer

danschultzer

Pow Core Team

You can’t prevent such brute force attacks. That means your DB has already been leaked. That’s why it’s recommended to have unique salts on passwords and use something like argon2 that slows down brute force attacks even on specialized hardware, so passwords are very difficult to crack in the worst case scenario of a DB leak.

You’ll remove that responsibility by using a third party with OIDC. I think a better alternative may be WebAuthn that can forego passwords, and prevent phishing. I hope to implement it in Pow at some point.

First rule of security is to never roll your own. The best is to use a maintained and audited open source library to handle auth.

You should follow industry practices, but cracking of password shouldn’t be a big worry. There are plenty of other threats that are much more likely. Phishing is much easier than cracking password. Or DB leak that gets access to personal information can be much more valuable than a password.

Also Liked

dimitarvp

dimitarvp

This may be factually correct but it also centralizes authentication and gives the providers access to literally billions of social graphs.

This is not okay. Providers like Facebook and Google have a very poor track record of reusing such information to relentlessly chase you around with ads.

I like OAuth like everybody else due to it making the lives of users easier but let’s not pretend that centralisation of credentials is an innocent issue, especially when handed to corporations.

In the meantime, a lot of libraries provide pretty okay security: CORS, form tokens, Argon / Bcrypt / Scrypt with hashes, salts and peppers, cookies expiring in 1 hour, etc.

Let’s face the facts: if you use a modern library, you are very reasonably secure unless a state actor or spy agency targets you… In which case you are royally screwed anyhow.

OvermindDL1

OvermindDL1

A bit but not too much, with how sharded out you can do most hash functions, this is why bcrypt/argon2 is so much better.

Only for querying via the server, but that will be so slow even without rate limiting to be near worthless. What will be done is to get a dump of the database, that is why every leak is via one of those.

Seems accurate.

True, this is why original OpenID was so nice (and I strive to support it on a few things I build), that way people host their own authentication on whatever domain they themselves control.

Yet, being honest, these corporations are the most likely ones to get the security right.

Which works fine until they get access to the server anyway, which is the number one reason all those leaks happen. Even with a fully bcrypt/argon2 hashed database (those have built-in unique salts) they can just add their own code to log the HTTP requests for example, passwords and all, and people have a surprising tendency to not notice those things for years.

Secure in that stuff sure, but you’d be surprised at how often those routes aren’t the cause of leaks.

WebAuthn will be a huge help, if implemented well!

This is the Golden Rule of authentication. Everyone gets it wrong, it’s just a matter of who gets it least wrong.

dimitarvp

dimitarvp

That’s unequivocally true. Still, I’d prefer being 85% secure and anonymous (anonymity itself is a pretty powerful shield!) as opposed to 99.9% secure and my personal data harvested and used against me – as is the case with personally-identifiable information since forever.

True. At this point all bets are off, really.

Oh I know. Phishing remains #1 cause of account takeovers, be it normal emails or social profiles or sysadmin root password vaults. Zero-days are #2. I believe @wolfiton is concerned about the wrong thing – brute forces only worked for a few years back in the dial-up modem days with amateur-level authentication gateways. Brute-forcing of passwords hasn’t worked well in decades.

IMO hardening your HTTP listener and sanitising your user input are your best bets when you manage an app server by yourself. That’s one of the value propositions of the clouds: good luck hacking or DDoS-ing CloudFlare!

Where Next?

Popular in Questions Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
chokchit
** (DBConnection.ConnectionError) connection not available and request was dropped from queue after 2733ms. You can configure how long re...
New
fireproofsocks
I’m working on defining a simple Ecto schema for a table (in PostGres), but I don’t see where I can define a column as NOT NULL. Conside...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
lucidguppy
I have a super simple question about elixir - how would I take a file like this foo bar baz and output a new file that enumerates th...
New
itssasanka
Hi all, Trying to get some more clarity over utc_datetime and naive_datetime for Ecto: The documentation above suggests that while ...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New

Other popular topics Top

senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New
TunkShif
This post is an instruction guide to help you setup your Neovim for Elixir development from scratch. It includes general information on h...
274 41539 114
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
rms.mrcs
Hi, I need to transform a list of numbers into a map where the keys are the indexes and the values are the original values of the list. ...
New
klo
Got a question about when to concat vs. prepending items to list then reversing to achieve appending. So i know lists boil down to [1 | ...
New
axelson
This post is a wiki (feel free to hit the edit button near the bottom right of this post to add your own changes!) This post collects co...
239 47930 226
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

We're in Beta

About us Mission Statement