Blocking multiple attempts to login

Topic

New Reply

I have just been reading an article on the BBC Website (http://www.bbc.com/news/technology-37510501) about accounts being hacked. Now this is something that has always puzzled me. As I understand it a bot tries every combination of letters and numbers until bingo, it gets in. Surely a limit could be set to the number attempts that can be made before triggering a lock down for a period of minutes, hours, or days. I know with my bank, which has a triple layer login, there is a limit of three attempts. After that the only way to access the account is a phone call and an interrogation to establish my identity. So yes that is belt and braces (or suspenders in the US), but even a lockout lasting minutes would thwart a bot.

Or am I missing something?

David

Reply | Quote

Replies

That technique certainly worked a decade ago, albeit in a relatively small business environment (i.e., only a small number of accounts were allowed to connect from outside the domain).

Image or Clone often! Backup, backup, backup, backup......
- - - - -
Home Built: Windows 10 Home 64-bit, AMD Athlon II X3 435 CPU, 16GB RAM, ASUSTeK M4A89GTD-PRO/USB3 (AM3) motherboard, 512GB SanDisk SSD, 3 TB WD HDD, 1024MB ATI AMD RADEON HD 6450 video, ASUS VE278 (1920x1080) display, ATAPI iHAS224 Optical Drive, integrated Realtek HD Audio

Reply | Quote

Thanks for responding. But surely it doesn’t matter who, or how many, are trying to login. Three strikes and you’re out, not forever, but a bot can’t hang around for an hour and then have another go. Would it be inconvenient? Only once I’d say, after that you’d get it right, maybe even use a password manager. Why everyone doesn’t already do that I can’t imagine.

Of course this wouldn’t help the morons who think “password” or “qwerty” are a brilliant passwords, but there are some as can’t be helped.

David

Reply | Quote

but a bot can’t hang around for an hour and then have another go.
David

Bots can hang around forever to out wait any time out. They can also then make attempts from other networks to hide it.

Reply | Quote

Bots can hang around forever to out wait any time out. They can also then make attempts from other networks to hide it.

Even the most patient and persistent bot would run out of time if it could only make 3 attempts per day, 1,000 per year. It would take millions of years to work through a 12 character password, and much longer passwords are practical using a password manager. I suppose the truth is most people don’t want hassle, and most businesses see hacking as a tax deductible expense. If your bank account is emptied it doesn’t cost the bank a penny, insurance covers the loss. And who pays the insurance, not the bank, it’s the customers in higher charges, and the shareholders in lower dividends. I can’t help feeling that if the money came out of the CEO’s wallet there’d be a rather more proactive approach to hacking.

David

Reply | Quote

As a matter of curiosity, have you tried to repeatedly access any of your own accounts? That is, have you tried logging in and failing intentionally? Repeatedly?
You may discover that there are restraints in place of which you are otherwise unaware (depending on what site you’re trying to access) .
Testing is probably the best way to know what security is actually in place.

Image or Clone often! Backup, backup, backup, backup......
- - - - -
Home Built: Windows 10 Home 64-bit, AMD Athlon II X3 435 CPU, 16GB RAM, ASUSTeK M4A89GTD-PRO/USB3 (AM3) motherboard, 512GB SanDisk SSD, 3 TB WD HDD, 1024MB ATI AMD RADEON HD 6450 video, ASUS VE278 (1920x1080) display, ATAPI iHAS224 Optical Drive, integrated Realtek HD Audio

Reply | Quote

As a matter of curiosity, have you tried to repeatedly access any of your own accounts? That is, have you tried logging in and failing intentionally? Repeatedly?

I have not intentionally entered the wrong login details, but I have done it with a faulty a keyboard, the shift key was intermittent. And after the third attempt I was locked out. This was with my Bank of Ireland account. The login is 3 steps; a 6 digital user number; either the last 4 digits of a registered phone number, or date of birth (one or the other at random); and then 3 random numbers of a 6 digit PIN. And there is a time constraint too, take too long and it’s over. And if you try and use the Backspace key to go back to the previous page at any time you’re dumped out. I asked about this and was told that it could be a “security issue”. It did involve a phone call, and they did want to know a whole lot more than “mother’s maiden name”, however it left me feeling that they take security a lot more seriously than Wells Fargo in the US.

Or to take a less stringent example I seem to remember being locked out of Windows Secrets once. I believe that was 3 strikes and you’re out. It was a long time ago, can’t remember the details, but I think I had to send an e-mail to get back in. I’m sure someone will correct me if I’m wrong. So to my simple mind the question remains, why not have a limit on every login, everywhere? Can it really be that difficult?

David

Reply | Quote

It’s up to each site to determine what security practices they will employ. At just about every job I have worked at in the last 30 years, you got three attempts to correctly enter your username and password; if you failed three times in a row, you were locked out for a certain amount of time (generally 15 minutes).

At my last job, an additional restriction was that you could change your password only once in a 24 hour period.

They can also blacklist suspicious users or devices, even the bot, if they can accurately identify it.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote