from despair to where?
600 MEELLION apps open to brute force account guessing
Some of the world's most popular apps permit unlimited brute force password guessing attempts. The 53 exposed Android and Apple apps, collectively downloaded more than 600 million times, include SoundCloud, ESPN, CNN, Expedia, and Walmart. So far of the 15 apps named a dozen have failed to fix the server-side flaws after …
COMMENTS
-
-
Friday 17th July 2015 06:33 GMT Anonymous Coward
Re: Login retry limit
So what happens when a site gets too many complaints that the retry limit isn't enough because people really have trouble remembering if it was "correcthorsebatterystaple" or "staplehorsecorrectbattery" or some of the hundreds of combinations we're expected to keep in our heads because Post-Its are bad and we're frequently out of reach of password managers?
-
-
-
Friday 17th July 2015 08:31 GMT Alister
Re: Once again
the lack of *any* RFC standard about web-based identity and password handling is telling.
You really think an RFC would make any difference? Why pick on RFC, they don't do standards, they define protocols?
What's wrong with W3C doing something about it, they set web standards.
-
-
Friday 17th July 2015 09:28 GMT Tannin
AC wrote: "W3C, BSI, ISO ... *someone* should define a standard."
Oh, there is a standard. You just don't like it.
(For those who have forgotten, the standard is called "Do whatever the hell you like" and don't waste any valuable time on it 'coz it's not as if users mattter, let alone security, next question please". Everyone uses it - well, nearly everyone - but most people have a bit of trouble remembering the acroynm, which is DWTHLYD .... DWHYLC .... er ... can I have three guesses?)
-
Friday 17th July 2015 11:00 GMT Anonymous South African Coward
Why not do like any normal M$ server does and lock the account out for x minutes after y incorrect login attempts? Not sure if *nix offer this kind of feature though...
Coupled with a script to ban offending IP's for an hour, then two hours, then a day, then a week should keep most accounts safe... or am I talking to a brick wall?
-
Sunday 19th July 2015 08:36 GMT Charles 9
Yes, that brick wall is your customer who complains because he's locked out of the service he wants so badly but has such a bad memory that he can't recall his password, even with help from mnemonics. And if you tell them to sod off since they're too stupid, they start trash-talking your app with their friends and so on. You can't win, basically. You basically have to be able to accommodate total idiots who can't remember their own name half the time or you get flooded with bad press.
-
-
Friday 17th July 2015 13:12 GMT Zmodem
encypt cookies with a server side back end key, my null nuke is still rocking
http://www.mediafire.com/download/j5l7ok7ps051c9p/NULL-8X3-NUKE_v2.2.zip
it only really has 1 worm possible exploit nobody has prooved, there is no point in a super admin hacking your own box, with the file system exploits
https://www.exploit-db.com/exploits/33091/
-
Saturday 18th July 2015 14:41 GMT Zmodem
just using a php cypher to encrypt cookie data then using base64 so you can store it, stops all sql injections and cookie theifs and a thousand other things, and better then having 2 passwords
if someone opens a cookie and decodes the base64 string, you have a cypered strings you need a server side key to decypher
-