failed password tries...!!

Discussion in 'Java' started by jibi wilson, Jul 5, 2007.

  1. jibi wilson

    jibi wilson Guest

    please help me......may some of you experts active in here can suggest
    me a solution...

    i've web site with front page asking username and password for
    entry ...is there any way to know how many failed password attempts
    have happened...what are the unauthorised username and password that
    has been tried...?any website is there to provide this service for
    free....? or should i use some complex programming to do this...?
    regards,
    jibi wilson
    jibi wilson, Jul 5, 2007
    #1
    1. Advertising

  2. Andrew Thompson, Jul 5, 2007
    #2
    1. Advertising

  3. jibi wilson

    stefanomnn Guest

    it depends how you realized authentication system...
    suppose you have a servlet which check for authentication:
    suppose users are stored on DB.
    create a field on DB (NO_OF_INVALID_LOGIN), and if login fails, in the
    servelt update it adding one; if it is succeful set value at ZERO.

    Stefano
    stefanomnn, Jul 5, 2007
    #3
  4. jibi wilson

    Eric Sosman Guest

    jibi wilson wrote:
    > please help me......may some of you experts active in here can suggest
    > me a solution...
    >
    > i've web site with front page asking username and password for
    > entry ...is there any way to know how many failed password attempts
    > have happened...what are the unauthorised username and password that
    > has been tried...?any website is there to provide this service for
    > free....? or should i use some complex programming to do this...?


    Before you attempt to make a record of incorrect username
    and password pairs, take a few moments to think through the
    security implications. When an actual user provides incorrect
    login information, chances are good that it was just a small
    typo; the information provided is *almost* correct. Thus, a
    log of the failed attempts is almost as good as a complete
    copy of your credentials database; given the log, a cracker
    could break into the accounts in just about no time at all.
    Do you *really* want to maintain such a risky log? Do you
    *really* want a third party to maintain it for you "for free?"

    One error I myself make with embarrassing frequency is
    to get "out of phase" with the prompts, entering my password
    instead of my account name and vice versa. So, even a log
    that records only the failed usernames but not the failed
    passwords is not safe; a cracker observing that jwilson and
    esosman and B##a29a^ and philton had all failed to log in
    would have a pretty good idea about a possible password to
    try against all the usernames on your system ...

    --
    Eric Sosman
    lid
    Eric Sosman, Jul 5, 2007
    #4
  5. jibi wilson

    Twisted Guest

    On Jul 5, 9:08 am, Eric Sosman <> wrote:
    > Before you attempt to make a record of incorrect username
    > and password pairs, take a few moments to think through the
    > security implications. When an actual user provides incorrect
    > login information, chances are good that it was just a small
    > typo; the information provided is *almost* correct. Thus, a
    > log of the failed attempts is almost as good as a complete
    > copy of your credentials database; given the log, a cracker
    > could break into the accounts in just about no time at all.
    > Do you *really* want to maintain such a risky log? Do you
    > *really* want a third party to maintain it for you "for free?"
    >
    > One error I myself make with embarrassing frequency is
    > to get "out of phase" with the prompts, entering my password
    > instead of my account name and vice versa. So, even a log
    > that records only the failed usernames but not the failed
    > passwords is not safe; a cracker observing that jwilson and
    > esosman and B##a29a^ and philton had all failed to log in
    > would have a pretty good idea about a possible password to
    > try against all the usernames on your system ...


    What about logging every attempt, but log only the username if the
    username resembles an existing username; log only the password if the
    username doesn't, but the password does; accept logins where the
    password/username pair is reversed but otherwise valid; and if a login
    attempt has neither the username nor the password resemble anything on
    the system, log the username if it "looks like English", the password
    if the username doesn't but the password does, or just the fact of a
    failed login attempt with no additional details save the originating
    IP otherwise. (This catches login attempts with username guessing such
    as fredp, admin, root, or whatever. Look for dictionary words, common
    abbreviations like admin, and common first names as prefixes, and
    common last name beginnings like logan as suffixes. If this ever
    actually matches a password it was a weak password anyway.)

    You can also encrypt the log. The encryption code must be on the auth
    server, but it only needs to contain your public key. You keep your
    private key on a smartcard, PDA, laptop, heavily firewalled PC, or
    whatnot and copy the log to a heavily firewalled machine to decrypt
    and examine it from time to time. Nobody can get at the log contents
    without first compromising your private key somehow. Compromising the
    auth server doesn't get them anywhere since reversing the encryption
    or discovering the private key with just the public key is NP-hard.
    Note that each log entry obviously needs to be separately encrypted
    with this scheme, as the auth server mustn't have the private key and
    therefore cannot decrypt, append, and reencrypt.
    Twisted, Jul 6, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Timothy Parez
    Replies:
    0
    Views:
    367
    Timothy Parez
    Mar 6, 2004
  2. tafs7
    Replies:
    0
    Views:
    505
    tafs7
    Dec 29, 2003
  3. Joergen Bech
    Replies:
    0
    Views:
    484
    Joergen Bech
    Jun 30, 2005
  4. AAaron123
    Replies:
    2
    Views:
    2,092
    AAaron123
    Jan 16, 2009
  5. AAaron123
    Replies:
    1
    Views:
    1,314
    Oriane
    Jan 16, 2009
Loading...

Share This Page