What if someone threatens to use (brute force auto hacker)

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
SPIIRE
I've Been Banned!
Posts: 97
Joined: Thu Jan 18, 2007 12:34 am

What if someone threatens to use (brute force auto hacker)

Post by SPIIRE » Thu Jan 18, 2007 12:45 am

And they threaten to hack my admin acc with it?

*and i know it works, all the time*


how can i stop this??

starware
Registered User
Posts: 309
Joined: Thu May 18, 2006 2:41 am

Post by starware » Thu Jan 18, 2007 12:47 am

IP ban the user..
Pardon my bad english, I'm american. :P

SPIIRE
I've Been Banned!
Posts: 97
Joined: Thu Jan 18, 2007 12:34 am

Post by SPIIRE » Thu Jan 18, 2007 12:49 am

Yes, but he can still use *brute force hacker* to hack the acc, can he not?

starware
Registered User
Posts: 309
Joined: Thu May 18, 2006 2:41 am

Post by starware » Thu Jan 18, 2007 12:51 am

I have no idea what "brute force hacker" is.

However an IP ban of whatever is accessing your forum should prevent a hack.
Pardon my bad english, I'm american. :P

User avatar
Socialoutcast
Registered User
Posts: 61
Joined: Fri Oct 20, 2006 2:43 am
Location: Scotland

Post by Socialoutcast » Thu Jan 18, 2007 12:54 am

Banning the IP will not prevent the hack as any hacker with half a brain cell will use a proxy :roll:

starware
Registered User
Posts: 309
Joined: Thu May 18, 2006 2:41 am

Post by starware » Thu Jan 18, 2007 1:01 am

ok.. So the real question is.

"If bute force works then why doesn't phpbb make a patch agaisnt it?"
Pardon my bad english, I'm american. :P

SPIIRE
I've Been Banned!
Posts: 97
Joined: Thu Jan 18, 2007 12:34 am

Post by SPIIRE » Thu Jan 18, 2007 1:06 am

Brute force does work, it seraches 10's of thousnd's of psoible words for pass's at once then when it hit's the right word that fits your pass, it checks it off, and sends it to him...it's very anyoing!

I really hope the make a patch.. :twisted:

User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Post by Phil » Thu Jan 18, 2007 1:10 am

Don't worry about it. It's been a feature (since phpBB 2.0.18 or so) in phpBB -- if a password for an account is mistyped more than (amount specified in admin panel, default is 5), then nobody can login as user for (amount specified in admin panel, default is 15) minutes after the most recent login attempt.
Moving on, with the wind. | My Corner of the Web

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10348
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Post by Noxwizard » Thu Jan 18, 2007 1:12 am

In order for them to brute force your passwords, they would have to have access to your database or at least a copy of it. If they have that kind of access, you've got bigger problems to worry about.

On a side note, brute forcing only works on fairly simple passwords.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

cybrid23
Former Team Member
Posts: 9877
Joined: Wed Jun 29, 2005 5:55 am
Location: Somewhere in the Midwest...
Contact:

Post by cybrid23 » Thu Jan 18, 2007 1:14 am

SPIIRE wrote: Brute force does work, it seraches 10's of thousnd's of psoible words for pass's at once then when it hit's the right word that fits your pass, it checks it off, and sends it to him...it's very anyoing!

I really hope the make a patch.. :twisted:


Then don't use words. Use random chars.... :roll:

And if it was a real problem, this support board would be full of complaints about it, ya think?
---Never leave home without a towel and your peril sensitive sunglasses.
---Do Not PM Me For Support. It will go unanswered.
Thanks.

User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Post by Phil » Thu Jan 18, 2007 1:14 am

Noxwizard wrote: In order for them to brute force your passwords, they would have to have access to your database or at least a copy of it. If they have that kind of access, you've got bigger problems to worry about.
Not necessarily, it depends on how they were doing the attack. Some attempt to find the hash, others just use a script that keeps trying passwords.
On a side note, brute forcing only works on fairly simple passwords.
Depends on how they were going about the attack :)
Moving on, with the wind. | My Corner of the Web

SPIIRE
I've Been Banned!
Posts: 97
Joined: Thu Jan 18, 2007 12:34 am

Post by SPIIRE » Thu Jan 18, 2007 1:15 am

would changing my pass to a bunch of random numbers stop brute force then?

User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Post by Phil » Thu Jan 18, 2007 1:18 am

It's not even a threat in the first place. Summary of the thread right now:
1) Brute forcing can't happen unless they've got a copy of your db. As stated, then you have bigger problems
2) They don't have a copy of your db
3) A few techno-nerds are arguing over brute-forcing techniques and prevention :twisted:
Moving on, with the wind. | My Corner of the Web

starware
Registered User
Posts: 309
Joined: Thu May 18, 2006 2:41 am

Post by starware » Thu Jan 18, 2007 1:28 am

If brute force is just a computer program that randomly guesses passwords then it should take a very long time to crack since 5/15=3

One combo each 3 minutes is 1x20=20/hourx24=480/day

it'd take a week or more to figure out if you have a long enough password.
Also random characters and such? especially if you change it every once in awhile. I don't see a security threat.

Besides, even if a program could determine your password(without having part of your database), there's always the ablity to reset your password after a hacking, and then undo the damage. Then it'd take another week or two at least to figure out the new password.
I also think there's a mod that'll prevent proxies though I haven't used it.
Pardon my bad english, I'm american. :P

qdeped
Registered User
Posts: 605
Joined: Wed Oct 16, 2002 6:54 am

Post by qdeped » Thu Jan 18, 2007 2:18 am

how the faq would a program guess a password?

The probability would be less than hitting 20 vegas jackpots in a row

PLz get real PPL!!
awaiting investigation

Locked

Return to “2.0.x Support Forum”