Forum modifications: brute force protection (Page 1 of 3)

^ wise words!

Igor! So what!? You stole my password!!

You guys are idiots, 1234 is way too easy.

You should use a strong one, like 12password34, like I do.

By the way Philip, IP addresses ...  a bit limited. Can I interest you in
http://panopticlick.eff.org/

We can laugh but I actually know someone who uses password. as a password for everything. Apparently the fullstop at the end makes it secure

^ is true.

And then there are other threats such as a typical windows system which has a virus which downloads a payload of trojan+keylogger. This leaves very little a forum Admin can do to protect users from themselves.

As for protecting via IP address, the traditional cracker will only use the same IP two or three times via a compromised connection or proxy. It has been said that for DOS attacks they are now using the datacenters that spam botnets have acquired to issue their own IP addresses.
But then again, the type of lame script-kiddie who attacks forums will not have the skill set of the more experienced cracker, who wouldn't even bother with websites in the first place.

On my forums, it is mandatory for a user to create a secure password (a mix of uppercase and lowercase with at least one number) or they aren't allowed to sign up.

My suggestion is a minimum of 10 letters/numbers with both uppercase and lowercase which contain no words whatsoever. Just random letters and digits. Then you can create 12 passwords like this and rotate them once a month. You get a years worth for free

I know it can be a pain if you need to login to a lot of forums/sites, but then so is having to run antivirus on Windows, having antispam filters and firewalls.

It's the sign of the times. For every security measure, there is some lame-ass [insert expletive] trying to make our everyday computing experience harder each day.

Last year I had to fend off a multi-spam attack on one of my forums which left me with 10 constant login attempts every 2 minutes (at one error message per attempt, imagine a 24 hour period). The spammers had been banned and blocked but the constant login attempts were hitting the databases and filling up the forum with error logs. The IP block didn't work as they were Chinese spambots which had their own datacenter whith a never-ending supply of IP addresses.

In the end I had to add a complete IP range redirect to my htaccess file which redirected them to a US Government antispam site. This is a really messy workaround, and using the htaccess for such problems isn't generally a good idea, I wrote about it HERE. But that is what the web is coming to now. Drastic measures to fend off the attackers.

This includes having to use the password system I stated before.

Last edited by rich (2010-03-30 12:06:26)

Creating pattern based passwords are also effective, change it every month or so simply by moving the pattern up, down, left or right makes it easy enough to remember over a long period of time.

Example:

0oK9iJ8uH7yG

Followed by:

9iJ8uH7yG6tF

For instance...

I'm afraid he sounded too serious...