Congratulations Members of The VG Press
So are you implimenting a "Too many failed logins!" functionality into the site, or what do you plan on doing to counteract dictionary/script attacks like these and others?
The likely solution is going to be exponentially increasing minimum time period between log-in attempts based on IP address.
---
Tell me to get back to rewriting this site so it's not horrible on mobileI made my password specifically because I thought you could see it Yo.
Then it's a good thing I recently changed my password from "pussy" to something else.
Log in or Register for free to comment
Recently Spotted:
Foolz (2m)
I have been working on a couple security improvements for the site relating to login and authentication. Primarily on a policy to handle failed logins and bot attacks. Doing so necessitates the testing thereof, and I have thusly created a script to perform a dictionary attack.
A dictionary attack is very simple; a program tries repeatedly to log into an account using a list of words, often a dictionary as words are commonly used as passwords due to that they're easily remembered.
So what does this have to do with you, a loyal VG Press user? Well, contrary to what you may think, I have no idea what your password is! Every password is one-way encrypted before being sent to the server, then salted and hashed once more for good measure, so I can only see a garbled mess in the database.
So I set loose my script using a list of the 500 worst passwords that alledgedly encompasses the passwords of 1 in every 9 users.
But every active VG Press member has a password that is not on the list of the 500 worst. Hoorah!
BONUS SECTION
For those interested in the code being the attack, it was written in Perl. As to not needlessly give a program to do this to a live site, this isn't the exact program, but it's effectively the same.
---
Tell me to get back to rewriting this site so it's not horrible on mobile