11 replies to this topic

[Shrike]

A Program recently came to my attention in a news article concerning DoS Attacks. This program includes .def (Definition Files) for Bruteforcing common E-Mail Providers such as:

Angelfire
AOL
CNN Webmail
Flashmail
Hotmail
ICQMail
MailCity
MyOwnEmail
Netscape
Net Taxi
PeoplePC
Popcorn
Talkcity
Yahoo

...and more! And Definition Files can be made easily by anyone who is able to view the Source Code of a login page and find the names of the Username and Password variables. All it takes is someone who knows your login name and has time to burn. So keep your E-Mail password long or use a more secure E-Mail provider, and it wouldn't hurt to keep your Account Name a secret too. Knowledge is power, the more you know about the potential problems the better they can be avoided!

[note=pyost]Program name and link removed[/note]

[Cruzo]

Blocking and preventing brute force attacks is one of the main things you want to do on your web server to add a layer of security. While someone might not be targeting your site or server specifically, they will have automated tools that will try to guess random usernames and passwords that are common against your system. They’re essentially forcing their way to user only authorized area’s of a system, such as FTP accounts, e-mail accounts, databases, script based administration areas and root or any shell access are most common attempts. They will try multiple login attempts, guessing usernames and passwords, trying to force their way onto your machine.

[Arbitrary]

Well, I currently use Gmail, so I guess I'm not on the worry list, yet. I also have a Hotmail account, but I don't use that anymore, so it's basically useless. On the other hand though, keeping passwords long definitely does make a difference. It's also better to have a combination of letters, numbers and symbols and not just something like "thisistheworstdayofmylife". Long, yes, but "ei-2404f-skl3fde" might be a lot harder to guess. At least brute force attacks are easier to avoid than certain other ones. Just keep your guard up. And there's a lot of argument about writing those long passwords down versus not making long passwords at all. Truth is, writing down is definitely a whole lot safer. Sure, some people might see it, but at least that's only the people who have direct access to your house. So it's a lot easier to monitor those people and change your password periodically accordingly. On the other hand, if someone remote manages to get your password...you're, well, stuck. It's a lot more dangerous. And of course, that means changing your password every so often as well.

Also, I remember reading somewhere (can't find the forum) that someone would make formulas for all their passwords so that it's easier to remember. For instance, take the word "tactics" and add my hotel room number of last year's vacation at the end, then shift the first letter forward one, the second letter backward one, so on. Of course, the more complicated the formula the better, but that means that each different account you have will have a different password, and you just need to write down the base word for each account and apply your memorized formula. That way, even if a person had access to your sheet of written passwords, they'd have a hard time figuring out your real password.

Edited by Arbitrary, 19 July 2006 - 12:59 AM.

[vhortex]

password length does not matter if the password security is using hashes..
on the long run.. it may also help since the program will need to generate longer password text..

--
there are alot of arguments on the password lengths and i have done an experiment..

when i posted my email address and put a challenge to crack the password..
my email with 36 character password got cracked while my other email with 3 letter password remain intact..

perhaps the generators assumes that the password will be more than 3 characters long

[yeh]

...use a more secure E-Mail provider, and it wouldn't hurt to keep your Account Name a secret too.

Yup, i would agree with Shrike. There is actually nothing much that you can do to prevent brute force attack on your password. That responsibility actually lies with the e-mail providers. Choosing difficult and long password is of no use if the e-mail providers do not detect failed login and banned/staggered the login for some time. I'm lazy to do the math here but it doesn't take too long to brute force a password using our fast and cheap computer.

[vhortex]

easier to brute force stuffs here...
Slave Hack

that is a small webbase game created by one of the members..
depects hacking and brute forcing..

just a game and addicting.. i believe m^e got hooked in it too..

--
as time goes on.. power pc goes cheaper and cheaper..
if you go for clone pc.. prices are way much lower

[HellFire121]

I don't use web based email simply because it's slow and unreliable.
I prefer setting up my own emails in my astahost hosting account and using them.
Much more simpler and way more secure. Plus with onboard email spam checkers you can configure how you want, overall it's just easier for me.

-HellFire

[Quatrux]

I don't use web based email simply because it's slow and unreliable.
I prefer setting up my own emails in my astahost hosting account and using them.
Much more simpler and way more secure. Plus with onboard email spam checkers you can configure how you want, overall it's just easier for me.

-HellFire

I am with you, since the time I have got my first hosting account, I started using my host own created email address, the only web-mail I use is GMail, but in fact, I only use the pop3 service they offer with an email client, besides usually your host has a web-mail in CPanel, like squirrel mail But anyway, I totally agree with you, web-mail can only be useful for me when you're somewhere not near your computer

[abhiram]

It isn't a good idea to try to bruteforce email sites, especially sites like Yahoo! and Hotmail. These sites get more than their share of people trying to force their way in. Also, I would guess that they've got security measures installed which detect whether a person from a particular IP is trying to force his way through ... like so many number of failed attempts within so much time. Your IP will be logged and the host will notify your ISP, if not report you to the police if you repeatedly attempt to get access.

Also, bruteforcing can take ages. Since most email providers require that you use a password that is atleast 6 characters long, allowing alphanumeric and special characters, IMO there's absolutely no good in trying to use a bruteforcer for getting access to an account.

Edited by abhiram, 03 August 2006 - 05:53 AM.

[CaptainRon]

agree with abhiram on this fact. usually bruteforcing is useless... but i wonder how the 36 char long password got cracked... ?

anyhow, in this age of distributed attacking, anyone can set up a hacking network that has more than 20 computers and whose sole purpose is to try different ranges of password values. definitely, even a 10 char pass will look like a few hours job.

apart from that, with 90% of people using win XP/98 its far more easier to get into a rival's system. just some social engineering required .

[pyost]

anyone can set up a hacking network that has more than 20 computers and whose sole purpose is to try different ranges of password values

But he (or she maybe) wouldn't be using a publicly available program if he had 20 computers! Those kinds of people usually create their own bruteforcing programs and have enough knowledge so they don't get caught. If you are not one of them, cracking passwords is a painful job.

I remember when I tried bruteforcing my password which was in the form of md5 hash. This form of encryption is widely spread because the encrypting process cannot be reversed - the only way is to bruteforce it. With my computer (which is let's say middle class) it would take OVER 400 DAYS to crack a 8-character password using letter (both lowercase and uppercase) and numbers. And I bet Google, Yahoo!, MSN and similar web mail services have better ways of protecting the password than 32bit md5 hash

[abhiram]

On another note, bruteforcing a password to Windows may be enhanced by using a large number of nodes, but bruteforcing email passwords is capped by the bandwidth and the response time of the website. The only way out would be to have different computers try different sets of combinations on the website simulataneously. So, the power of the computer you are using has no effect on the cracking. It is different from bruteforcing an md5 hashed password protected local file.