PSN - Warnings of Security Breach

[Bartholomy]

Can you mention any sites that uses the system that you mention?

bugs.launchpad.net a website for bug of Wine for Linux, recently bruteforced No captchas Accounts locked and reset of password

[ahou]

I dont understand why you think that limiting the tries from 86k each day to 3-5 instead is concidered as 'no reason'. If there were absolutely no reason to use CAPTCHA, then i wonder why so many places uses it. Try sending a mail to Google for example and say that it is no reason to use CAPTCHA on Gmail, and see what reply you get

Because 86k per day is not nearly enough to EVER hack a single account with a password > 5 characters or so. You seem to think 86k per day is a lot. It's not. Serious brute forcing can try TRILLIONS per second, and even then, depending on how complex the password is, can still take a long ass time, or possibly never succeed.

CAPTCHA are good for preventing automated spam, which is why google uses them.

If they are locking the account, wouldnt those who are already signed in be affected then?

NO

It seems to defeat the purpose to lock an account if it still can be used, unless there is a way to only lock the sign in process itself.

Exactly.

As for keeping a list of the IPs, that would be in the lines of using something like Steam Guard. I agree that this is a great solution and i hope to see this type of solution being used more and more. Though it can have its disadvantages if you try to use a friend's computer or something that isnt authorized to be allowed to login.

I mentioned checking IPs as a way to login if someone was actively trying to brute force the account. Any IP would still be able to log in otherwise. Realistically though, it doesn't even matter, because there is no point in trying to brute force accounts when there is any delay enforced.

I am interested to see some examples of where CAPTCHAs isnt used and where accounts are locked every second or so. Can you mention any sites that uses the system that you mention?

Locking accounts for 5-15 minutes after 3-5 failed login attempts is extremely common.

[yes159]

bugs launchpad net a website for bug of Wine for Linux, recently bruteforced No captchas Accounts locked and reset of password

That is a pity

Because 86k per day is not nearly enough to EVER hack a single account with a password > 5 characters or so. You seem to think 86k per day is a lot. It's not. Serious brute forcing can try TRILLIONS per second, and even then, depending on how complex the password is, can still take a long ass time, or possibly never succeed.

CAPTCHA are good for preventing automated spam, which is why google uses them.

Why do you only keep mentioning all chars brute force? I've mentioned several of times that other methods are also possible. There arent trillions of words when using dictionary attack for example. 86k tries a day multiplied by many many days is a ton more than 3-5 tries. Why give people tons of more tries on guessing the password when it isnt needed?


CAPTCHA is also used to stop spam indeed, but this is mostly when making a new account. This is to stop spam bots to be able to automatically sign up for email accounts. But Google also activate CAPTCHA when you fail login 4 or 5 times or something. This is not to stop spam bots to log in, because if the spam bots already have the correct login and password, then they have no problem loggin in on the first attempt, and then CAPTCHA isnt activated.


I see what you mean and you're right about strict brute force attacks. The chance to be lucky with this and finding the right password is indeed slim. But what i dont understand is why you argue against that 3-5 tries in total VS 86k tries each day is completely unnecessary. Maybe the chances are slim indeed, but dont you agree that it is much better to limit the tries to 3-5 times instead of 86k each day? Why not include extra security when it is possible? It is better to be safe than sorry I dont think that many people keep forgetting their passwords all the time, so they have to enter CAPTCHAs several times a day. So i dont think that many people are affected or annyoed by this. Just think of your own situation for example, how many times a month do you personally have to enter CAPTCHAs when login in somewhere?


And just to point out in case what i said earlier was clear, i didnt say that CAPTCHA is the only way to stop brute force attacks. But it does add another layer of security and CAPTCHAS is a very effective way to stop brute force and dictionary attacks. Having extra security is not something negative in this case, because i think that most people remember their passwords. Maybe they have to enter CAPTCHAs for logins a few times a year tops (unless they are really bad at remembering their passwords), so it is not really much of an annoyance in my opinion.

NO
Exactly.

It depends on how you define 'locked account'. If you can still use an locked account, it would kinda defeat the purpose in one way, because if the hackers get in to the account first, then they can still use the account. That is why Sony locked these PSN accounts for example, to stop the hackers who already got in to the accounts, so they couldnt use the account any further. If it is only the sign in process, then technically the account isnt locked I thought you ment to lock the account completely, not just lock the sign in process.

I mentioned checking IPs as a way to login if someone was actively trying to brute force the account. Any IP would still be able to log in otherwise. Realistically though, it doesn't even matter, because there is no point in trying to brute force accounts when there is any delay enforced.

Locking accounts for 5-15 minutes after 3-5 failed login attempts is extremely common.

Yeah, that would also be a way indeed.

Do you have any specific examples of sites who use this and that doesnt use CAPTCHAs? I know that for example Hotmail will (or at least they used to do it) lock your account if you fail too many times when trying to log in, but they also use CAPTCHA. I'm interested in seeing websites that will lock your account while failing too many login attempts and that not use CAPTCHAs because honestly i cant think of any sites that does it. I'm not saying that it doesnt excist, but i cant remember any sites that does it, that is why i ask You only have to give about 4-5 examples, and preferably on well known sites. This way i get an idea of how common it is.

[Bartholomy]

Considering Sony is not reading this thread nor improving their security with our analysis, not interested to give to their customers a better service, the 3 of us, with knowledge of Security, can talk about this interesting topic on a new thread? This thread was a news about Sony and a new fail of security. Just to remember to their customers our account aren't safe at all, but probably posting about locked accounts and refund, they think to be smartass and proud of it.
Stay far from PSN with your credit card, guys Create a fake account, and enjoy some online playtime

[yes159]

Considering Sony is not reading this thread nor improving their security with our analysis, not interested to give to their customers a better service, the 3 of us, with knowledge of Security, can talk about this interesting topic on a new thread? This thread was a news about Sony and a new fail of security. Just to remember to their customers our account aren't safe at all, but probably posting about locked accounts and refund, they think to be smartass and proud of it.
Stay far from PSN with your credit card, guys Create a fake account, and enjoy some online playtime

Sony did show that they have software that monitors brute force and dictionary attacks, that is at least something positive. Only time will tell if they will add a CAPTCHA and/or locking the sign in process for a short while if too many login attempts fail. Hopefully they will, but only time will tell =) But yeah, i think we all have got to say what we wanted to say in this thread now

[Bartholomy]

Sony did show that they have software that monitors brute force and dictionary attacks, that is at least something positive. Only time will tell if they will add a CAPTCHA and/or locking the sign in process for a short while if too many login attempts fail. Hopefully they will, but only time will tell =) But yeah, i think we all have got to say what we wanted to say in this thread now

I still suppose was a random discover, too many accounts logging together, trust me. Like i wrote before, their security is managed by clowns. Yus, if interested, one of us open a thread for it, and pm me

[ahou]

There arent trillions of words when using dictionary attack for example.

Yes there are? Unless all you're doing is trying every word out of a dictionary, in which case you'd probably have better luck simply trying password and 12345678 with random usernames instead.

I see what you mean and you're right about strict brute force attacks. The chance to be lucky with this and finding the right password is indeed slim. But what i dont understand is why you argue against that 3-5 tries in total VS 86k tries each day is completely unnecessary. Maybe the chances are slim indeed, but dont you agree that it is much better to limit the tries to 3-5 times instead of 86k each day?

No, i don't agree. I use about 5 main passwords for all sites. On top of that, i also use a number of different variations (for example, i use 12345 for a lot of sites i never plan on coming back to, but require a registration, however sites that require 8 characters, i instead lengthen it to 12345678, or !2345678 if they require a special symbol, etc), which results in at least 50+ different passwords in use. Sometimes for sites i don't use often, i forget which one i used, and then need to try them all. Trying just the main 5 would lock my account if they chose to lock it at 3-4, let alone if i had to check any of the variations. As rare as this situation is, it's not worth the loss of convenience to add more security once it is impossible to ever crack even a single account before the website was taken down.

Just think of your own situation for example, how many times a month do you personally have to enter CAPTCHAs when login in somewhere?

I personally have no logged into any accounts in the last month, thank you cookies.

It depends on how you define 'locked account'. If you can still use an locked account, it would kinda defeat the purpose in one way, because if the hackers get in to the account first, then they can still use the account. That is why Sony locked these PSN accounts for example, to stop the hackers who already got in to the accounts, so they couldnt use the account any further. If it is only the sign in process, then technically the account isnt locked I thought you ment to lock the account completely, not just lock the sign in process.

I don't even understand why you would lock the account entirely. The log in process is all that matters.

Do you have any specific examples of sites who use this and that doesnt use CAPTCHAs?

psx-scene.com

As well as most all forums.

[yes159]

I still suppose was a random discover, too many accounts logging together, trust me. Like i wrote before, their security is managed by clowns. Yus, if interested, one of us open a thread for it, and pm me

Who knows. But i dont think that it was a random discovery, i think that they have software that monitors login activity.

No need to open a new thread on this for my sake I think that this discussion is pretty much done now.

Yes there are? Unless all you're doing is trying every word out of a dictionary, in which case you'd probably have better luck simply trying password and 12345678 with random usernames instead.

Well, it depends on how long passwords your trying to break of course. But if you limit the try to maybe 8-10 char long passwords, then i dont think that there are trillions of combinations with a dictionary attack. It is not that uncommon that people use simple passwords, so it is possible to be lucky finding the password relatively fast.

No, i don't agree. I use about 5 main passwords for all sites. On top of that, i also use a number of different variations (for example, i use 12345 for a lot of sites i never plan on coming back to, but require a registration, however sites that require 8 characters, i instead lengthen it to 12345678, or !2345678 if they require a special symbol, etc), which results in at least 50+ different passwords in use. Sometimes for sites i don't use often, i forget which one i used, and then need to try them all. Trying just the main 5 would lock my account if they chose to lock it at 3-4, let alone if i had to check any of the variations. As rare as this situation is, it's not worth the loss of convenience to add more security once it is impossible to ever crack even a single account before the website was taken down.

Sorry, i wrote a bit poorly (i shouldnt have used the word "better" because that can be defined in many ways). What i mean to ask is if you agree that it is more secure to limit the tries to 3-5 in total instead of having 86k tries each day. I agree that there can be a very slim chance to find the right password when brute forcing, even if it is 86k tries a day. But depending on the password, and trying maybe several of hundred thousands accounts, it might very well be possible to find the right passwords, even if it is just a handful. Maybe many of the big companies think like this, so they want to be safe than sorry, and therefor they include CAPTCHA as an extra layer of security?


About being inconvenient, both methods can actually be described as being inconvenient. For example, locking an account for maybe 20 minutes could probably be inconvenient for some if they are in a hurry to use the account. Instead of having to wait for 20 minutes to be able to log in, entering a few CAPTCHAs would take less than a minute. But this is a personal preference, it variates from person to person what he/she prefer the most.


But convenience issues aside (since that is a subjective thing), i think that we can at least agree to that both CAPTCHAs and locking the sign in process are good ways to stop brute force attacks

I personally have no logged into any accounts in the last month, thank you cookies.

Ok, i think that shows that this isnt really much of an inconvenience issue for you personally then? =)

I don't even understand why you would lock the account entirely. The log in process is all that matters.

If the hackers dont find the right password, then it isnt any need to lock the whole account indeed. The only time that it is needed to lock the whole account is if the hackers successfully find some of the passwords. Then it could be smart to lock the whole account, so that the hackers cant abuse the accounts.

psx-scene com

As well as most all forums.

Thanks for the example You are right that many forums uses this method.

[ahou]

What i mean to ask is if you agree that it is more secure to limit the tries to 3-5 in total instead of having 86k tries each day.

Lets say you wanted to sound proof a room. You don't want to be cheap about this either, you want it to really be sound proof. So how can we block all sound? I know, we put a vacuum around the room. If there is no air or other medium for the sound to travel through, it can't reach the room, right? Done. But...but, why don't we add a second layer, just in case?

But we don't. Why? Because zero sound is reaching the room as is, so it is not possible to improve the situation.

About being inconvenient, both methods can actually be described as being inconvenient. For example, locking an account for maybe 20 minutes could probably be inconvenient for some if they are in a hurry to use the account.

Hence why i suggested 1 second.

But convenience issues aside

No, you can't set aside convenience. Security is always about balancing security and convenience. The most secure system would be to disable an account after a single failed login attempt, and require a phone call from a phone number that has been previously verified, and giving a one time password in order to get a location to come in in person to show your birth certificate, passport, etc, etc, etc.

Get my point? Security isn't just about making the system as secure as possible. That 50 number alarm code does you no good if you can't remember it, and have it written down on a post it note above the keypad.

i think that we can at least agree to that both CAPTCHAs and locking the sign in process are good ways to stop brute force attacks

Of course.

[yes159]

Lets say you wanted to sound proof a room. You don't want to be cheap about this either, you want it to really be sound proof. So how can we block all sound? I know, we put a vacuum around the room. If there is no air or other medium for the sound to travel through, it can't reach the room, right? Done. But...but, why don't we add a second layer, just in case?

But we don't. Why? Because zero sound is reaching the room as is, so it is not possible to improve the situation.

I see your point. But the thing is about brute force attacks is that we are very often not only talking about one single account. We might be talking about several of hundred thousands of accounts. And not everyone uses passwords like "v#t6fwa!149xT". It is not that uncommon that people use simple words for passwords because it is easier to remember. So the chances to get some passwords when we're talking so many accounts is definitely there, it is not necessarily microscopical or impossible.

Hence why i suggested 1 second.

Then that is the problem with what i mentioned above. Trying A LOT of accounts + some people use easy passwords = a reasonable chance to succeed with some of the accounts if you get 86k tries each day. The chance might be slim, but when trying a lot of accounts and maybe keep the process run for a week or two, then i'd say there is a reasonable chance to succeed on some of the accounts.

No, you can't set aside convenience. Security is always about balancing security and convenience. The most secure system would be to disable an account after a single failed login attempt, and require a phone call from a phone number that has been previously verified, and giving a one time password in order to get a location to come in in person to show your birth certificate, passport, etc, etc, etc.

Get my point? Security isn't just about making the system as secure as possible. That 50 number alarm code does you no good if you can't remember it, and have it written down on a post it note above the keypad.

Sure, i didnt say that convenience doesnt matter at all For example, having to take a DNA test everytime you enter a building just be 100% sure that it is the correct person who enters would of course not be convenient even if it is more secure than just checking an ID badge or something. I agree to that, and i get your point on this.


But i think it is important that we keep perspective here. We're not talking about making a call or showing a passport or anything like that. I agree that this situation could be inconvenient, especially if we are talking about something like a forum account (maybe it would a bit different if we talk about a bank account or so). But entereing a CAPTCHA is about typing a few words maybe a few times a year, or a few times a month at worse (unless someone is really bad at remembering their passwords). Is typing a few words a few times a year really that inconvenient? Personally i dont think so. At least i dont find it comparable to having to call and show passport etc. (i guess that you're exagerating on this just to show your point better, but i'm just mentioning it to show that CAPTCHAs is just about typing a few extra words, so it is not a heavy process). I do not think that it is any more inconvenient to lock the sign in process for maybe 15-20 minutes or so. I see that PSX Scene locks it for 15 minutes for example.


Even if it should be a 1 minute lock, during that time it is possible to enter several of CAPTCHAs. But as i mentioned, that is a personal preference of what one prefer or not prefer But both things can at least be described as being inconvenient. Personally i dont see entering a few words or waiting a few minutes as being much of an inconvenient for me. If i had to do it several of times everyday, then maybe, but not when it is perhaps a few times a year for me personally What do you think?

Of course.