[Intrusions] SSH brute forcing attacks
Pehr Söderman
Pehrs at kth.se
Thu May 19 09:02:40 GMT 2005
Smith, Donald wrote:
> The list of usernames and passwords has grown VERY large.
> The last list I saw had 3400+ passwords.
> The handlers had several short write-ups on this including various
> mitigation techniques.
I have seen lists circulating with well over 20'000 passwords. And most
passwords today are weak; humans are simply not able to memorize passwords that
are long and random enough. The passwords might be able to keep an online attack
out for a while, but as soon as (if) the attacker can toss an offline attack on
them they are bound to be broken. This would probably be a good place to preach
defence in deep.
I have recently read about some experiments with using CAPTCHA's (and similar
systems) to prevent automated password guessing with an AI hard problem. It
would require changes to the login systems, but could it perhaps be a long-term
solution?
http://www.captcha.net/
--
/Pehr Söderman
Pehrs at kth.se
Student of Computer Science
Royal Institute of Technology, Stockholm, Sweden
Erasmus student at Universität Karlsruhe, Germany
Cum catapultae proscriptae erunt tum soli proscript catapultas habebunt.
More information about the Intrusions
mailing list