Homestar Runner Wiki Forum

A companion to the Homestar Runner Wiki
It is currently Thu Mar 28, 2024 10:04 am

All times are UTC




Post new topic Reply to topic  [ 17 posts ] 
Author Message
 Post subject: Limmit login attempts?
PostPosted: Sat Apr 21, 2007 5:40 pm 
Offline
User avatar

Joined: Mon Apr 18, 2005 5:11 pm
Posts: 2713
I noticed there's no appearant limmit to how many times you can try to log in with the wrong password. Thus, someone could crack any user's password by testing every possible combination. Anyway, you could count how many times each IP has tried to log in, and block them from doing so after 3 or more attempts.

However, the H*R Wiki and Wikipedia do not appear to have much defence against brute-force searches either. Is this concidered a neglectible threat?


Top
 Profile  
 
 Post subject: Re: Limmit login attempts?
PostPosted: Sat Apr 21, 2007 6:38 pm 
Offline
User avatar

Joined: Mon May 10, 2004 6:05 am
Posts: 5636
Location: swirlee.org for great justice
DukeNuke wrote:
Is this concidered a neglectible threat?


Uh. Yes. Nobody has any sensitive or valuable personal information in our database, and there's no conceivable motivation for going through that much trouble to hack into someone's account.

_________________
StrongCanada wrote:
Jordan, you are THE SUCK at kissing! YAY! Just thought you should know! Rainbows! Sunshine!


Top
 Profile  
 
 Post subject:
PostPosted: Sat Apr 21, 2007 6:50 pm 
Offline
User avatar

Joined: Mon Apr 17, 2006 11:50 pm
Posts: 4431
Location: Remember Strawberries, guys?
that, and "every possible combination" means "every possible arrangement of any number of letters and numbers"

Although, for an admin, putting a limit on takes less than 30 seconds. But there isn't really a reason.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Apr 21, 2007 7:10 pm 
Offline
User avatar

Joined: Fri Dec 17, 2004 9:48 pm
Posts: 2003
Location: Trapped inside a cage. It isn't even locked, but I'm an idiot.
I think the default is five. That's what I have set for the HRWFWF, and I haven't messed with that setting.

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Sat Apr 21, 2007 9:00 pm 
Offline
User avatar

Joined: Sat Apr 01, 2006 6:26 am
Posts: 3828
Location: I've seen this kind of Pikachu before.
Chekt wrote:
that, and "every possible combination" means "every possible arrangement of any number of letters and numbers"

Although, for an admin, putting a limit on takes less than 30 seconds. But there isn't really a reason.


BUT WE KNOW HOW MUCH WORK IT IS TO CLICK BUTTONS AMIRITE


Top
 Profile  
 
 Post subject: Re: Limmit login attempts?
PostPosted: Sat Apr 21, 2007 9:30 pm 
Offline
User avatar

Joined: Mon Apr 18, 2005 5:11 pm
Posts: 2713
InterruptorJones wrote:
...there's no conceivable motivation for going through that much trouble to hack into someone's account.

Well, except for an opportunity to vandalize and annoy the heck out of people... Besides, it's not any harder than, say, designing a virus that can spread itself or intercepting and decrypting an encrypted email. All you need to know is some programming, how TCP/IP connections work, and how to use http protocols.

Chekt wrote:
that, and "every possible combination" means "every possible arrangement of any number of letters and numbers"

You just test every combination for 1 character, then 2, then 3, ect. I doubt many people have passwords longer than 20 characters or so. Sure, it can still take hours, but it'll find the password eventually.

But except for that, I think the forum is quite safe from attacks. Well, mabye not from denial-of-service attacks (flooding), but that's the servers problem, not the website's.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Apr 21, 2007 9:37 pm 
Offline
User avatar

Joined: Mon May 10, 2004 5:21 pm
Posts: 15581
Location: Hey! I'm looking for some kind of trangly thing!
Well, here's a thought: what about siblings or acquaintances who might want to hack into a specific person's account just to annoy them? Say, just as an example, if Magna's brother wanted to hack Magna's account to post a bunch of spam, or Ninti's brother wanted to get Ninti banned? Even if they didn't know the password exactly, they could probably make a few decent educated guesses. But if the forum only allowed a few attempts to log in before blocking an account, then it would still act as a deterrent.

On the other hand, such a person might be just as happy seeing the other person blocked from the forum for a few days...

_________________
ImageImage


Top
 Profile  
 
 Post subject: Re: Limmit login attempts?
PostPosted: Sat Apr 21, 2007 11:00 pm 
Offline
User avatar

Joined: Mon Jan 17, 2005 1:00 am
Posts: 3849
Location: Best Coast
InterruptorJones wrote:
and there's no conceivable motivation for going through that much trouble to hack into someone's account.
...unless your target has admin powers :D
But I would assume all the admins have secure enough passwords that would take a long time to crack.

_________________
Image


Top
 Profile  
 
 Post subject: Re: Limmit login attempts?
PostPosted: Sat Apr 21, 2007 11:13 pm 
Offline

Joined: Tue May 24, 2005 4:58 pm
Posts: 5045
Location: Imagining all the people living life in peace.
ed 'lim' smilde wrote:
InterruptorJones wrote:
and there's no conceivable motivation for going through that much trouble to hack into someone's account.
...unless your target has admin powers :D
But I would assume all the admins have secure enough passwords that would take a long time to crack.


Actually, JoeyDay's password is ***********


...erm, don't ask how i know that

_________________
So, so you think you can tell Heaven from Hell, blue skies from pain. Can you tell a green field from a cold steel rail? A smile from a veil? Do you think you can tell?


Top
 Profile  
 
 Post subject:
PostPosted: Sat Apr 21, 2007 11:17 pm 
Offline
User avatar

Joined: Thu Nov 25, 2004 4:11 am
Posts: 18942
Location: Sitting in an English garden, waiting for the sun
All asterisks? GENIUS! Why didn't I think of that?

Thanks a bunch, Einoo! :mrgreen:

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Sat Apr 21, 2007 11:33 pm 
Offline
User avatar

Joined: Tue Apr 04, 2006 7:25 pm
Posts: 1930
Location: Inside of a shirt,underwear,pants,shoes and under a hat
Guys, there are 26 letters in the alphabet, and ten numerical digits. This sets the base for a password to 36. (I dont know what other characters are allowed.)

I dont know what the character limit on passwords are, but it is usually 5-12 on most sites.

There are 60466176 possible combinations for a 5-digit password.. There are 2176782336 combinations for a 6 digit password. There are 78364164069 possible combinations for a 7 digits password. 2821109907456 for an 8 digit password. 101559956668416 for 9. 3656158440062976 for 10. 131621703842267136 for 11. 4738381338321616896 for 12.

Now if you added these together, you would get that there are 4,873,763,738,459,317,194 possible combination for a password.

Now, if it took you 7 seconds to type in each password (This inculdes typing it in, and clicking submit, loading up the page after getting the incorrect password message) and starting over again, you would spend 34116346169215220358 seconds guessing every password. Assuming that you could be correct on the first or last guess, you would take the average, which is 17058173084607610179 seconds. This is an average of 197432558849625.12 days. This is 540911120136 years.

Would you spend an average of 540911120136 years to guess a password? IIt's like typing in 111-1111, 111-1112, etc to get someone's phone number, only much harder.

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Sat Apr 21, 2007 11:45 pm 
Offline
User avatar

Joined: Thu Nov 25, 2004 4:11 am
Posts: 18942
Location: Sitting in an English garden, waiting for the sun
There are those auto-password-genrator dealies.

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Sat Apr 21, 2007 11:48 pm 
Offline
User avatar

Joined: Tue Apr 04, 2006 7:25 pm
Posts: 1930
Location: Inside of a shirt,underwear,pants,shoes and under a hat
It's way easier to use XSS or social engineering to get someone's password.

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Sun Apr 22, 2007 12:15 am 
Offline
User avatar

Joined: Wed Jul 06, 2005 1:01 am
Posts: 6245
Didymus wrote:
On the other hand, such a person might be just as happy seeing the other person blocked from the forum for a few days...


I don't think we're talking about days, more like minutes. (It doesn't even need to be that long, 6 or so would do fine).

And we're talking about programs that will guess the password. They'll have the password typed in almost instantly, and they don't even need to wait for the "Incorrect password" page to load - once they see it's loading, they'll go back and try again. It would take awhile, but it's possible.

5 tries and then 5 minutes is all you'd need. It's not like it's that big of a threat, though - I've actually never heard of a force hack like this ever working. However, I think it could. (And you should take into consideration that most sites have a limit (explaining why I've never personally heard it happen), and this was the reason the limit was originally introduced)


Top
 Profile  
 
 Post subject:
PostPosted: Sun Apr 22, 2007 12:22 am 
Offline
User avatar

Joined: Tue Apr 04, 2006 7:25 pm
Posts: 1930
Location: Inside of a shirt,underwear,pants,shoes and under a hat
Ju Ju Master wrote:
Didymus wrote:
On the other hand, such a person might be just as happy seeing the other person blocked from the forum for a few days...


I don't think we're talking about days, more like minutes. (It doesn't even need to be that long, 6 or so would do fine).

And we're talking about programs that will guess the password. They'll have the password typed in almost instantly, and they don't even need to wait for the "Incorrect password" page to load - once they see it's loading, they'll go back and try again. It would take awhile, but it's possible.
They do have delays though, so they dont crash the server. Like I said, social engineering is the best method.

BTW: I've been away from the forum for a while because:
Image

So yeah, It's been there the whole time. They just dont make a big deal about it like vbulletin forums do.

_________________
Image


Top
 Profile  
 
 Post subject: Re: Limmit login attempts?
PostPosted: Sun Apr 22, 2007 2:28 am 
Offline
User avatar

Joined: Mon Jan 17, 2005 1:00 am
Posts: 3849
Location: Best Coast
Einoo T. Spork wrote:
ed 'lim' smilde wrote:
InterruptorJones wrote:
and there's no conceivable motivation for going through that much trouble to hack into someone's account.
...unless your target has admin powers :D
But I would assume all the admins have secure enough passwords that would take a long time to crack.


Actually, JoeyDay's password is ***********


...erm, don't ask how i know that
Ummm...
that's mine too

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Mon Apr 23, 2007 5:26 am 
Offline
User avatar

Joined: Sun May 07, 2006 11:28 pm
Posts: 31
Location: Check the Frappr map
This whole discussion reminds me of the time I was trying to give my password to the Nickname server or whatever on IRC and mistyped the command, letting the whole word see my password. Of course I promptly changed it, but since I use the same password there and at the wiki (I'm hardly ever on IRC, so I figure it doesn't really matter) there was a good two minutes where someone could possibly have edited as me.

_________________
"ACupOfCoffee" was already taken.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 17 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group