Anti Brute-Force

Suggestions will be moved here once processed.

Moderator: Oversight Staff

LTDNorb
Forest Walker
Posts: 157
Joined: Sat Jul 16, 2016 9:29 pm
Has thanked: 6 times
Been thanked: 13 times

Anti Brute-Force

Postby LTDNorb » Sat Mar 04, 2017 5:01 pm

Quote from the announcement:
At 3 pm, I was notified of the breach. Being rather surprised by the situation and trying to figure out what happened, things didn't look good. Half an hour later, I contacted uakf.b informing him about the breach and we have taken measures to counter the "hack" (which, in fact, was just a mere brute-force of a forum user's password; how exactly he got the user's password is unknown to us though).


I don't quite understand the red-highlighted part in combination with the blue-highlighted part, as it explains how the password was stolen.

As a general suggestion, I wanted to bring up to disable an account after 3-5 consecutive failed attempts. E-Mail with unlock-link would be generated, to ensure that the person with the right E-Mail can unlock the account. Maybe even send an E-Mail for each failed attempt, in case someone tries to 'hack' it bit by bit.

Edit: Or maybe just for Staff Members if the rest could cause too much hassle/confusion?

User avatar
aRt)Y
Protector of Nature
Posts: 13142
Joined: Fri May 03, 2013 9:15 pm
Has thanked: 10 times
Been thanked: 174 times
Contact:

Re: Anti Brute-Force

Postby aRt)Y » Sat Mar 04, 2017 5:51 pm

@LTDNorb phpbb blocks login attempts after 3 or 5 times by default and temp. bans the IP. Therefore, casually brute-forcing it is not possible. However, an attacker could use proxies any time and circumvent this. (Unless phpbb blocks the logins for the account itself rather than IP, then never mind).

Anyhow, the staff member has been informed to change his passwords (as it might have been stolen on other sites ("phishing")).

We already considered two factor auth. but given ENT does no longer implement technical things, we did not proceed. The staff dept's accounts have been changed to be non-delete-able/non-alter-able. Plus, staff members will no longer have ACP access.

We might re-consider the forum extension though.
    Information, Rules, Guides and everything else you need to know about ENT is on the ENT Wiki.
      Ignorantia juris non excusat • Quis custodiet ipsos custodes? • Fallacy of composition


Return to “Suggestion Archive”

Who is online

Users browsing this forum: No registered users and 17 guests