PSN - Warnings of Security Breach

[Chastises]

If they are simple, a bot will solve them (though far, far slower than it would take to simply send a million log in attempts per second). If they are complex, they are a pain in the ass for actual users. More importantly, they are entirely unnecessary. Brute forcing works by trying millions, if not hundreds of millions or billions of passwords per second. Limiting it to one attempt per second would make it entirely pointless to even try, and an actual user would never even know about it, unless told.

What kind of shit are you smoking if you think it possible to do billions of remote logins per second? Get a f*ckin' clue.

[Bartholomy]

What kind of shit are you smoking if you think it possible to do billions of remote logins per second? Get a f*ckin' clue.

A quad (or more) proccessor server, latest generation, and a proper program, do it. Do you have a barely far idea of what kind of technology is used , for a criminal attack? Do you think they attaccked NASA and other important organizations with an intel atom and windows 7?

[ahou]

Then you can keep trying every second. But with CAPTCHA, then it wont allow you to try unless you write in the right word in the CAPTCHA. So it definitely adds one extra layer of security =)

No, it's not possible to brute force a password at 1 per second. The earth would be long gone before you would even have a 1% chance of cracking a decent length password.

So it definitely adds one extra layer of security =)

Yes, captchas work fine, but they are entirely unnecessary, and there are better ways of preventing brute force attacks without having even a chance of inconveniencing actual users.

What kind of shit are you smoking if you think it possible to do billions of remote logins per second? Get a f*ckin' clue.

Depends on the hardware being used. But if you bothered reading my post, i gave a range from millions to billions. Millions can be done by an average computer with a decent internet connection.

[Bartholomy]

Yes, captchas work fine, but they are entirely unnecessary, and there are better ways of preventing brute force attacks without having even a chance of inconveniencing actual users.
.

Better than nothing and see your account locked and wallet refund

[ahou]

Better than nothing and see your account locked and wallet refund

Being better than nothing isn't useful when there are far better methods.

[yes159]

Simple answer. Clowns who pretend to be expert of security, just lazy or ignorant on how to develop a captcha system. Most works because his uncle put them as security manager

Lol

No, it's not possible to brute force a password at 1 per second. The earth would be long gone before you would even have a 1% chance of cracking a decent length password.

Yes, captchas work fine, but they are entirely unnecessary, and there are better ways of preventing brute force attacks without having even a chance of inconveniencing actual users.

Perhaps not directly brute force, but it still allows passwords to be tested. It is possible to use a common password list or something, it doesnt necessarily have to try every character combination. If it allows for 1 password to be tried every second, that is 86400 password tries in one day. While the chances might be slim, 86400 password is a lot more than 3-5 tries, which a CAPTCHA would allow.

But if CAPTCHAs are entirely unnecessary, how do you stop bots from trying a new password every second? And what happends if i'm already logged in somewhere, lets say on PSN and i'm playing online, and suddently someone start a brute force attack and my account gets locked up for every second. Wouldnt i get disconnected then? That doesnt seem very convenient at least.

[Bartholomy]

Lol



Perhaps not directly brute force, but it still allows passwords to be tested. It is possible to use a common password list or something, it doesnt necessarily have to try every character combination. If it allows for 1 password to be tried every second, that is 86400 password tries in one day. While the chances might be slim, 86400 password is a lot more than 3-5 tries, which a CAPTCHA would allow.

But if CAPTCHAs are entirely unnecessary, how do you stop bots from trying a new password every second? And what happends if i'm already logged in somewhere, lets say on PSN and i'm playing online, and suddently someone start a brute force attack and my account gets locked up for every second. Wouldnt i get disconnected then? That doesnt seem very convenient at least.

If account is logged, a secondary log attempt fail, because user is logged. And system can send a email alerting the user someone attempt an unauthorized login. What disconnection are you talking about?

[yes159]

But if i am logged into PSN on my PS3, and then i want to login to PSN through my PC at the same time (maybe to post on the PS Blog or something), then i must first disconnect on my PS3 because it only allows one login? That doesnt sound like a very good solution in my opinion, especially not as a substitute for using a CAPTCHA. Maybe such a solution would work good on other systems, but i dont think that it sounds like a good solution on PSN at least.

The disconnect i'm talking about is if the account gets locked if someone tries to bruteforce it as ahou mentioned. Surely it wont be possible to use the account if it is locked? If you're still able to use the account after it is locked, then it kinda defeat the purpose of locking it.

But the point is that CAPTCHAs does serve a good purpose against brute forcing I'm sure that there are other ways instead, but why not use something that is already effective instead of using other solutions that might be less convenient? In my opinion, the best solution against brute forcing is a really well made CHAPTA + locking of the account for a short while if someone manually tries many passwords (or if someone makes a bot that actually manages to break the CAPTCHA). Also using some security like Steam Guard in addition would also be great. I hope that more places incorporate such a solution as Steam Guard.

[Tkalmighty]

bruteforcing a web form is so retarded and ridiculously slow, no offense. they probably tested a lot of accounts with like no more than 100 common passwords and a few of them checked out from people putting paswords such as 12345678. If you use a weak pass, dont blame sony

[Bartholomy]

Yus. Guess what? None of those method will be applied, we will use the same trash for long, long time. Enjoy PSN, i keep my pocket far from those clowns

[ahou]

Perhaps not directly brute force, but it still allows passwords to be tested. It is possible to use a common password list or something, it doesnt necessarily have to try every character combination. If it allows for 1 password to be tried every second, that is 86400 password tries in one day. While the chances might be slim, 86400 password is a lot more than 3-5 tries, which a CAPTCHA would allow.

But if CAPTCHAs are entirely unnecessary, how do you stop bots from trying a new password every second? And what happends if i'm already logged in somewhere, lets say on PSN and i'm playing online, and suddently someone start a brute force attack and my account gets locked up for every second. Wouldnt i get disconnected then? That doesnt seem very convenient at least.

86k passwords per day is not a lot. Unless your password is "password" or something like that, you would be 100% safe from brute force attacks if they could only be done at 1 per second. The odds are so low, that we may as well just say it is impossible to complete an attack within a person's life span at such a rate, and even doing it before the earth is ****ing gone would be pretty close to impossible. Remote brute force attacks are rarely successful even without a limit (other than bandwidth), and strong passwords are entirely impossible to brute force, even when done locally with trillions+ tried per second.

[Bartholomy]

86k passwords per day is not a lot. Unless your password is "password" or something like that, you would be 100% safe from brute force attacks if they could only be done at 1 per second. The odds are so low, that we may as well just say it is impossible to complete an attack within a person's life span at such a rate, and even doing it before the earth is ****ing gone would be pretty close to impossible. Remote brute force attacks are rarely successful even without a limit (other than bandwidth), and strong passwords are entirely impossible to brute force, even when done locally with trillions+ tried per second.

Are you sure

[ahou]

Are you sure

Positive.

An 8 character password that can use a-z,A-Z, 0-9, and 31 other symbols (`~!@#$%^&*()_+=-/*[]{}),<.>?:;'" ) for 95 different possible characters can have 95^8 has a total of 6,634,204,312,890,625 possibilities. Divide by 86400 is 76,784,772,140 days to try every possible. Now, of course it would be highly unlikely that the correct password would be the last one tried, but even if you got it after only trying 10% of them, you'd be looking at 2 MILLION years.

For an 8 character password.

For a 20 character password you'd need 1.135 x 10^32 years. aka 114,000,000,000,000,000,000,000,000,000,000 years.

Good luck with that.

[yes159]

86k passwords per day is not a lot. Unless your password is "password" or something like that, you would be 100% safe from brute force attacks if they could only be done at 1 per second. The odds are so low, that we may as well just say it is impossible to complete an attack within a person's life span at such a rate, and even doing it before the earth is ****ing gone would be pretty close to impossible. Remote brute force attacks are rarely successful even without a limit (other than bandwidth), and strong passwords are entirely impossible to brute force, even when done locally with trillions+ tried per second.

True, but 86k password attempts each day is helluwa lot more than 3 to 5 attempts. So why would you use a method that allows 86k attempts each day instead of 3 to 5? But as i mentioned, it doesnt necessarily have to be brute force trying every combination, it is also possible to use a common password list. And locking the account for one second just because of failed attempts would also kick the legit user out if he/she is using the account during the attack. How do you solve this problem?

[Bartholomy]

Positive.

An 8 character password that can use a-z,A-Z, 0-9, and 31 other symbols (`~!@#$%^&*()_+=-/*[]{}),<.>?:;'" ) for 95 different possible characters can have 95^8 has a total of 6,634,204,312,890,625 possibilities. Divide by 86400 is 76,784,772,140 days to try every possible. Now, of course it would be highly unlikely that the correct password would be the last one tried, but even if you got it after only trying 10% of them, you'd be looking at 2 MILLION years.

For an 8 character password.

For a 20 character password you'd need 1.135 x 10^32 years. aka 114,000,000,000,000,000,000,000,000,000,000 years.

Good luck with that.

You talk about this calculation using your intel atom mini laptop?
Maybe you never heard of 4 or more processor pimped server, or a network of them, using a parallel work, for brute force. Trust me, its a matter of less than a week, your 20 character password. If easy, a couple days. This method is actually used, from criminals against big corporation and police, expecially against pedos, it's not a star-trek movie technology

And sorry, but captha or 5 attempt then locked, will break any method against bruteforce. But Sony doesn't seems so much interested to save our accounts

[ahou]

True, but 86k password attempts each day is helluwa lot more than 3 to 5 attempts. So why would you use a method that allows 86k attempts each day instead of 3 to 5? But as i mentioned, it doesnt necessarily have to be brute force trying every combination, it is also possible to use a common password list. And locking the account for one second just because of failed attempts would also kick the legit user out if he/she is using the account during the attack. How do you solve this problem?

Sometimes people forget their passwords, and need to guess a few different ones before they get it. Inconveniencing users for no reason is retarded. Anyone logged in already would not be affected. As for people trying to log in while someone else is trying to brute force it (which really isn't an issue, since no one would even try), they could keep a list of IPs that have successfully logged in before, and always allow them to log in.

You talk about this calculation using your intel atom mini laptop?
Maybe you never heard of 4 or more processor pimped server, or a network of them, using a parallel work, for brute force. Trust me, its a matter of less than a week, your 20 character password. If easy, a couple days. This method is actually used, from criminals against big corporation and police, expecially against pedos, it's not a star-trek movie technology

Try reading my posts? If there is a limit of 1 login attempt per second, you cannot possibly speed it up, and a 10 year old computer would be just as slow as a botnet with 10 million computers.

Also, the hardware required to brute force a 20 character password in a week would absolutely never be used to crack something as useless as a psn account. Electricity costs alone would far, far outweigh any possible gains, not to mention the opportunity cost of not using it to do something more useful.

[Bartholomy]

Sometimes people forget their passwords, and need to guess a few different ones before they get it. Inconveniencing users for no reason is retarded. Anyone logged in already would not be affected. As for people trying to log in while someone else is trying to brute force it (which really isn't an issue, since no one would even try), they could keep a list of IPs that have successfully logged in before, and always allow them to log in.

Try reading my posts? If there is a limit of 1 login attempt per second, you cannot possibly speed it up, and a 10 year old computer would be just as slow as a botnet with 10 million computers.

Also, the hardware required to brute force a 20 character password in a week would absolutely never be used to crack something as useless as a psn account. Electricity costs alone would far, far outweigh any possible gains, not to mention the opportunity cost of not using it to do something more useful.

Apologizes. I lost the that part with limits.
Yes mate, people spend money for electricity and use the best hardware possible, for PSN. Sony is a multinational who deserve just to shrink for some reasons, for some people. Don't be so surprised.

[ahou]

Apologizes. I lost the that part with limits.
Yes mate, people spend money for electricity and use the best hardware possible, for PSN. Sony is a multinational who deserve just to shrink for some reasons, for some people. Don't be so surprised.

A few accounts being hacked per week is hardly going to be noticed, let alone cared about.

[Bartholomy]

A few accounts being hacked per week is hardly going to be noticed, let alone cared about.

Yup. This new trouble, is surely confirming what kind of trash is PSN, Sony is losing more customers, and today people buy a ps3 for CFW, never logged nor registered. Cool. And now PSN titles for free (team duplex). Well done. PSPVITA will save them?

[yes159]

Sometimes people forget their passwords, and need to guess a few different ones before they get it. Inconveniencing users for no reason is retarded. Anyone logged in already would not be affected. As for people trying to log in while someone else is trying to brute force it (which really isn't an issue, since no one would even try), they could keep a list of IPs that have successfully logged in before, and always allow them to log in.

I dont understand why you think that limiting the tries from 86k each day to 3-5 instead is concidered as 'no reason'. If there were absolutely no reason to use CAPTCHA, then i wonder why so many places uses it. Try sending a mail to Google for example and say that it is no reason to use CAPTCHA on Gmail, and see what reply you get

But as i mentioned, using strict brute force attacks where every char combination is tried isnt the only way to do it. You can get a list of commonly used password and try that. You can also try a dictionary attack for example. We also know that PSN passwords must be at least 8 chars long, so if someone should do a strict brute force attack, they only have to start on 8 chars passwords, i'm sure there are a lot of people who just use an 8 char password. It would still take a damn long time to brute force every combination of 8 chars though, but at least you can drop the 1-7 chars passwords, and that will save a lot of time.

If they are locking the account, wouldnt those who are already signed in be affected then? It seems to defeat the purpose to lock an account if it still can be used, unless there is a way to only lock the sign in process itself. As for keeping a list of the IPs, that would be in the lines of using something like Steam Guard. I agree that this is a great solution and i hope to see this type of solution being used more and more. Though it can have its disadvantages if you try to use a friend's computer or something that isnt authorized to be allowed to login. But it still doesnt mean that CAPTCHAs are being used for no reason I am interested to see some examples of where CAPTCHAs isnt used and where accounts are locked every second or so. Can you mention any sites that uses the system that you mention?