Results 1 to 8 of 8
  1. #1
    3 Star Lounger
    Join Date
    Apr 2010
    Location
    Los Gatos CA
    Posts
    376
    Thanks
    52
    Thanked 12 Times in 11 Posts

    Blocking multiple attempts to login

    I have just been reading an article on the BBC Website (http://www.bbc.com/news/technology-37510501) about accounts being hacked. Now this is something that has always puzzled me. As I understand it a bot tries every combination of letters and numbers until bingo, it gets in. Surely a limit could be set to the number attempts that can be made before triggering a lock down for a period of minutes, hours, or days. I know with my bank, which has a triple layer login, there is a limit of three attempts. After that the only way to access the account is a phone call and an interrogation to establish my identity. So yes that is belt and braces (or suspenders in the US), but even a lockout lasting minutes would thwart a bot.

    Or am I missing something?

    David

  2. #2
    4 Star Lounger
    Join Date
    Dec 2009
    Location
    Paducah, Kentucky
    Posts
    420
    Thanks
    37
    Thanked 67 Times in 64 Posts
    That technique certainly worked a decade ago, albeit in a relatively small business environment (i.e., only a small number of accounts were allowed to connect from outside the domain).
    Clone or Image often! Backup, backup, backup, backup...
    - - - - -
    Home Built System: Windows 10 Home 64-bit, AMD Athlon II X3 435 CPU, 16GB DDR3 RAM, ASUSTeK M4A89GTD-PRO/USB3 (AM3) motherboard, 512GB SanDisk SSD, 3 TB WD HDD, 1024MB ATI AMD RADEON HD 6450 video, ASUS VE278 (1920x1080) display, ATAPI iHAS224 Optical Drive, integrated Realtek High Definition Audio

  3. #3
    3 Star Lounger
    Join Date
    Apr 2010
    Location
    Los Gatos CA
    Posts
    376
    Thanks
    52
    Thanked 12 Times in 11 Posts
    Thanks for responding. But surely it doesn't matter who, or how many, are trying to login. Three strikes and you're out, not forever, but a bot can't hang around for an hour and then have another go. Would it be inconvenient? Only once I'd say, after that you'd get it right, maybe even use a password manager. Why everyone doesn't already do that I can't imagine.

    Of course this wouldn't help the morons who think "password" or "qwerty" are a brilliant passwords, but there are some as can't be helped.

    David

  4. #4
    4 Star Lounger
    Join Date
    Dec 2009
    Location
    Paducah, Kentucky
    Posts
    420
    Thanks
    37
    Thanked 67 Times in 64 Posts
    As a matter of curiosity, have you tried to repeatedly access any of your own accounts? That is, have you tried logging in and failing intentionally? Repeatedly?
    You may discover that there are restraints in place of which you are otherwise unaware (depending on what site you're trying to access) .
    Testing is probably the best way to know what security is actually in place.
    Clone or Image often! Backup, backup, backup, backup...
    - - - - -
    Home Built System: Windows 10 Home 64-bit, AMD Athlon II X3 435 CPU, 16GB DDR3 RAM, ASUSTeK M4A89GTD-PRO/USB3 (AM3) motherboard, 512GB SanDisk SSD, 3 TB WD HDD, 1024MB ATI AMD RADEON HD 6450 video, ASUS VE278 (1920x1080) display, ATAPI iHAS224 Optical Drive, integrated Realtek High Definition Audio

  5. #5
    3 Star Lounger
    Join Date
    Apr 2010
    Location
    Los Gatos CA
    Posts
    376
    Thanks
    52
    Thanked 12 Times in 11 Posts
    Quote Originally Posted by RockE View Post
    As a matter of curiosity, have you tried to repeatedly access any of your own accounts? That is, have you tried logging in and failing intentionally? Repeatedly?
    I have not intentionally entered the wrong login details, but I have done it with a faulty a keyboard, the shift key was intermittent. And after the third attempt I was locked out. This was with my Bank of Ireland account. The login is 3 steps; a 6 digital user number; either the last 4 digits of a registered phone number, or date of birth (one or the other at random); and then 3 random numbers of a 6 digit PIN. And there is a time constraint too, take too long and it's over. And if you try and use the Backspace key to go back to the previous page at any time you're dumped out. I asked about this and was told that it could be a "security issue". It did involve a phone call, and they did want to know a whole lot more than "mother's maiden name", however it left me feeling that they take security a lot more seriously than Wells Fargo in the US.

    Or to take a less stringent example I seem to remember being locked out of Windows Secrets once. I believe that was 3 strikes and you're out. It was a long time ago, can't remember the details, but I think I had to send an e-mail to get back in. I'm sure someone will correct me if I'm wrong. So to my simple mind the question remains, why not have a limit on every login, everywhere? Can it really be that difficult?

    David

  6. #6
    New Lounger
    Join Date
    Jul 2004
    Location
    Minneapolis, Minnesota, USA
    Posts
    16
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Rhinoceros View Post
    but a bot can't hang around for an hour and then have another go.
    David
    Bots can hang around forever to out wait any time out. They can also then make attempts from other networks to hide it.

  7. #7
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,405
    Thanks
    447
    Thanked 404 Times in 376 Posts
    It's up to each site to determine what security practices they will employ. At just about every job I have worked at in the last 30 years, you got three attempts to correctly enter your username and password; if you failed three times in a row, you were locked out for a certain amount of time (generally 15 minutes).

    At my last job, an additional restriction was that you could change your password only once in a 24 hour period.

    They can also blacklist suspicious users or devices, even the bot, if they can accurately identify it.

  8. #8
    3 Star Lounger
    Join Date
    Apr 2010
    Location
    Los Gatos CA
    Posts
    376
    Thanks
    52
    Thanked 12 Times in 11 Posts
    Quote Originally Posted by bill f View Post
    Bots can hang around forever to out wait any time out. They can also then make attempts from other networks to hide it.
    Even the most patient and persistent bot would run out of time if it could only make 3 attempts per day, 1,000 per year. It would take millions of years to work through a 12 character password, and much longer passwords are practical using a password manager. I suppose the truth is most people don't want hassle, and most businesses see hacking as a tax deductible expense. If your bank account is emptied it doesn't cost the bank a penny, insurance covers the loss. And who pays the insurance, not the bank, it's the customers in higher charges, and the shareholders in lower dividends. I can't help feeling that if the money came out of the CEO's wallet there'd be a rather more proactive approach to hacking.

    David

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •