600 MEELLION apps open to brute force account guessing Some of the world's most popular apps permit unlimited brute force password guessing attempts. The 53 exposed Android and Apple apps, collectively downloaded more than 600 million times, include SoundCloud, ESPN, CNN, Expedia, and Walmart. So far of the 15 apps named a dozen have failed to fix the server-side flaws after …
So what happens when a site gets too many complaints that the retry limit isn't enough because people really have trouble remembering if it was "correcthorsebatterystaple" or "staplehorsecorrectbattery" or some of the hundreds of combinations we're expected to keep in our heads because Post-Its are bad and we're frequently out of reach of password managers?
the lack of *any* RFC standard about web-based identity and password handling is telling.
You really think an RFC would make any difference? Why pick on RFC, they don't do standards, they define protocols?
What's wrong with W3C doing something about it, they set web standards.
AC wrote: "W3C, BSI, ISO ... *someone* should define a standard."
Oh, there is a standard. You just don't like it.
(For those who have forgotten, the standard is called "Do whatever the hell you like" and don't waste any valuable time on it 'coz it's not as if users mattter, let alone security, next question please". Everyone uses it - well, nearly everyone - but most people have a bit of trouble remembering the acroynm, which is DWTHLYD .... DWHYLC .... er ... can I have three guesses?)
Why not do like any normal M$ server does and lock the account out for x minutes after y incorrect login attempts? Not sure if *nix offer this kind of feature though...
Coupled with a script to ban offending IP's for an hour, then two hours, then a day, then a week should keep most accounts safe... or am I talking to a brick wall?
Yes, that brick wall is your customer who complains because he's locked out of the service he wants so badly but has such a bad memory that he can't recall his password, even with help from mnemonics. And if you tell them to sod off since they're too stupid, they start trash-talking your app with their friends and so on. You can't win, basically. You basically have to be able to accommodate total idiots who can't remember their own name half the time or you get flooded with bad press.
encypt cookies with a server side back end key, my null nuke is still rocking
http://www.mediafire.com/download/j5l7ok7ps051c9p/NULL-8X3-NUKE_v2.2.zip
it only really has 1 worm possible exploit nobody has prooved, there is no point in a super admin hacking your own box, with the file system exploits
https://www.exploit-db.com/exploits/33091/
just using a php cypher to encrypt cookie data then using base64 so you can store it, stops all sql injections and cookie theifs and a thousand other things, and better then having 2 passwords
if someone opens a cookie and decodes the base64 string, you have a cypered strings you need a server side key to decypher
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
