Securing web logins against dictionary attacks
It's good to learn from your mistakes; it's even better to learn from other people's. So, when Twitter got hacked by a simple dictionary attack, we thought it a good time to review our password security model. Compsoft Senior Developer Tim Jeanes explains.
Storing password to a web-based solution securely is all well and good, but doesn't help if your users use passwords that are easily guessable, as Twitter found to their embarrassment. The key feature they'd failed to implement (and that we realised we'd immediately have to add to our arsenal) was preventing unlimited password attempts.
We needed a solution that is entirely invisible to as many genuine users as possible, but that is insurmountable to a dictionary attack, as experienced by Twitter, in any reasonable amount of time. Also, should we start suspecting a legitimate user might be a hacker, they mustn't feel like we've just slammed the door in their face.
The solution opted for provides ten opportunities for a successful log in, after the 11th attempt is failed, the account is locked for one minute. Any subsequent attempt locks the account for twice as long (two minutes, then four minutes, and so on). This means that hackers would only be able to try 21 times to access an account within a 24 hour period.
This solution is already implemented as a critical part of Compsoft's code library; even though we haven't started developing it for you yet, your next website is already more secure than Twitter was.
This is an extract from the Developer Blog that Compsoft Developers use to report on issues identifed and resolutions. It can be accessed here.