Last night a webmaster for a pretty large website mentioned that he was having problems with people doing password guessing against known user lists. This is a really common problem in the web application security world. It’s trivial to mount large scale password guessing attacks against websites, and there’s very little you can do about it. First, let me explain the three different types of password guessing brute force attacks:
Vertical Veritcal password guessing is where you start with a single known userid and you throw thousands of passwords at the script, testing each one in succession. These are by far the easiest to detect because the way databases are set up, it’s trivial to set up a counter for the number of times a userid has been tested. Once it reaches a limit you ask the user to do something special (unlock an account or otherwise).
Horizontal Horizontal password guessing attacks use the same password but request many different usernames. This is much harder to detect for a few reasons. First, the password is staying the same but generally people don’t have a database of attempted passwords, and passwords aren’t unique anyway, so that wouldn’t help. Secondly, a table of guessed passwords per username is irrellevant, as they are only guessing one username password pair at a time, and the username changes. Thirdly and most importantly, you cannot seperate the guessing by IP address because of companies like AOL who use massive super proxies and route thousands of people through the same account.
Diagonal Diagonal password guessing is by far the hardest. Not only does the attacker shift the username, but they also shift the password on each guess. There is relatively no way to stop this type of user except banning their IP address or asking them to remedy in some way or another, which is easy enough to defeat by simply changing IP addresses. And if they come through an AOL proxy, you’re out of luck because then you are asking all of your AOL users to remedy who came through that proxy (which could be upwards of 30k users or more). That may or may not be a big deal depending on what the remedy is and how many AOL users you have.
There are certain things I don’t recommend. For instance what PassMark did to Bank of America. You don’t want to block your users outright when their password fails. This just sets up a situation where competitors can deny service to all your users simply by enumerating through them in the most obvious ways to get you to block the accounts.
One common way to get around this is to ask a user for a CAPTCHA as a remedy. Of course, that represents problems for accessability, but that can be mitigated as I have discussed in previous posts. Another way is to ask the user to limit their account by IP addresses. Give them a few days to tell you all the IP address ranges that they’ll be logging into (optionally) and let them limit access to their account. That way outliers from those IP ranges will set off alerts, or at minimum you don’t have to allow access, so the attacker will waste time.
However, you end up doing it, it really won’t stop a determined attacker, but it will make it so difficult it may be easier to attack other targets. “I don’t have to run faster than the bear, I just have to run faster than you.”