Brute force attack excuses
When you hear of “Brute force attacks”, you can generally find flaws.
First off a brute force attack can EASILY be discovered by a correctly configured server. Since 99.999% of Web applications authenticate from a centralised Web server. If the server can’t raise an alert or throttle a brute force attack after say 5 wrong attempts it’s really badly configured.
With that in mind:
Companies who sell security products for example with:
- long password lengths
- choosing certain digits of a password (note they would have to store an unhashed password, which is dumb)
To offer better security by mitigating brute force attacks on the client side, are wrong.
Conclusion: Brute force attacks in most cases should be handled by extra logic in the server, not the user.
April 27th, 2008 at 3:49 pm
[...] Sidenote: Why the HELL does Barclays require the last five digits of my card? They already have my membership number. Are they trying to prevent a brute force attack? [...]