Is it me ?
Or is there a simple solution of allowing 3 - maybe 4 wrong guesses per hour per account ? Or per connection ?
A system that aims to identify stolen passwords before breaches are reported or even detected was launched on Tuesday. Shape Security's Blackfish credential defence system is designed to detect the use of stolen usernames and passwords by criminals and in real time. The technology is a mechanism for organisations to identify …
Rate limiting per account - the intent is to try each compromised user/password pair once per service / website to see if it sticks, so this wouldn't work. If it sticks (i.e. works) the account can then be sold as valid or of course plundered by the crims themselves.
Rate limiting per client - they use botnets to distribute the validation process. Also more common now where an authentication API exists that is designed for machine to machine communication this can be legitimately used in a programmatic manner, so again hard to stop.
Problem with a per connection block is that each login attempt tends to be from a totally different IP due to the number of zombie's harnessed to do this work. Setting up a freeze on an account basis tends to lockout the legitimate user.
Plugging passwords into a site to determine how secure they are is not a good idea either IMHO. The IP address of the query can be associated with the request and reverse look-ups can enable a hacker to work out who the user is.
The main problem is that the whole thing works after the facts. Not only that it also introduces a whole new heap of possible security risks. After all: for this to work a company would have to send them their collected data. Here's hoping that they don't hire a secretary using a Windows 95 machine who gets charged with "sending the zip file over". Yah, just too bad that the machine suffered from a DNS spoof.
But as said: this works after the facts. So someone registered, their password matched, then what? Asking the user to change their password next time they logon? It's most likely already too late by that time (depending on the kind of service of course). Or what if this service got it wrong? Then you're basically scaring your potential customers over nothing.
Yet most of all I can't help think that this only provides a security ruse. After all: more sensitive data gets transmitted which opens more room for abuse, and the end result is practically neglectable.
The only thing which helps is to get users to stop re-using their passwords. But good luck with that!
"The only thing which helps is to get users to stop re-using their passwords."
There is one thing that businesses could do to help themselves. Stop specifying the customer's email address as the user ID. As most people only have one email address the hacker doesn't have to guess both ID and password.
Biting the hand that feeds IT © 1998–2020