ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

DonationCoder.com Software > fSekrit

Brute Force hacking possible?

(1/3) > >>

AbteriX:
Hi f0dder,

1. If i enter a wrong password into fSekrit 1.1
2. i get an messagebox telling me that this password is incorrect.
3. Then i can try another one.
4. if this is wrong also i get an messagebox telling me that this password is incorrect.
5. GoTo 1.

I think someone can wrote an AutoIt script to use an text file to try common passwords, as many ppl use this.

For secure reason maybe you want add an timeout, like after 10 wrong pw's wait 30 minutes?

What think you?

Eóin:
Hi AbteriX, you bring up a good point but if someone has a copy of your file there are probably alot of ways they could cheat such a system, say by making a new copy of the file after every failed attempt, or adjusting their system clock to fool the program.

The only defense real against brute force attacks are hardened passwords.

f0dder:
This is a possible form of attack, yes, but it's going to be slow. You do *not* want to use common passwords, including (but not limited to) words present in a dictionary.

Adding this form of "protection", as Eóin already pointed out, is pretty useless - it's a false sense of "security", and there's numerous ways to defeat it. Besides, it would be a lot faster (though still painstakingly slow) to attack the file directly. At the moment that would require reverse engineering fSekrit, but I'm considering releasing the source when I'm satisfied with it... which would make attacks a lot easier.

But that's actually one of the points of releasing source - to show that security is strong. Security through obscurity isn't a good idea :)

AbteriX:
All right, THX  :)

mouser:
just to add to this:
modern cryptography algorithms, like the ones f0dder uses, are designed on the assumption that your attacker could, for example, test millions of different passwords per second, and still require longer than the time it will take for our sun to burn out before you stumble on the right password.  So the answer is surely to use a password someone is not going to guess, and don't worry about the rest.

Navigation

[0] Message Index

[#] Next page

Go to full version