Brute Force Protection

    • Brute Force Protection

      Hello,

      Since this weekend the GameForge activated a brute force protection to avoid account hacks.

      Current facts :

      - 10 logins with wrong password blocks the IP for 3 hours.
      - You can login again when you change the IP (for example restart your router, login from your neighbour ... )
      - Login via Gameforge.com works only you change the IP as before.


      Regards, Francolino
    • thats what you dont want to give to someone who brute forces.


      just an example why you shouldn't show messages for security features.

      password recovery via email. you show the user "no account registered with this email". someone who wants to have the mails can now try every mail he likes and in return he gets exact information if the email is valid or not.
      so it'll be better to tell the user "an email has been send".

      thats nearly the same with the login.
    • i'm with marshen

      for security reasons it's better not to tell too much to the user
      you should not use any visible help which could make brute force attacking easier.

      - showing the count of wrong logins is not good
      - showing which email is registered and which NOT is also a bad idea

      better you say something like:

      the email has been send, if you don't get an email in the next 30 minutes try password recovery again.

      edit: 10 wrong logins and than block ip for 3 hours?
      in my opinion it's very slack ... maybe it should be 3 wrong logins block ip for 12 hours
    • I do not see the sense of this, if somebody tried hard to make a brute
      force attack, it doesn't matter to change the IP before too, e.g. automatical random proxy usage. Quite in contrary, a large number of proxy IPs would be banned if somebody do this and even more users (using this proxy without meaning ill) are banned too. It would be more effective to place a Captcha after first faild login.
    • Eleria wrote:

      uhhhh captcha after first fail is a very good idea !!!!!

      the problem about captchas is:
      a capture that a computer cant guess is one that has no solution
      a capture that a human can guess is also guessable with a more or less simple algorithm.

      a programmer who wants to get past a captcha will come through.

      so the one million dollar question is:

      do you want to annoy users with easy captchas which are easily hackable or do you want to annoy users with strong captchas that even the users can't guess right each time or do you use no captchas because it doesn't help at all?


      ps: ip blocks are better than captchas to stop brute force. i don't think that both is necessary.
    • Eleria wrote:

      i'm with marshen

      for security reasons it's better not to tell too much to the user
      you should not use any visible help which could make brute force attacking easier.

      - showing the count of wrong logins is not good
      - showing which email is registered and which NOT is also a bad idea

      better you say something like:

      the email has been send, if you don't get an email in the next 30 minutes try password recovery again.

      edit: 10 wrong logins and than block ip for 3 hours?
      in my opinion it's very slack ... maybe it should be 3 wrong logins block ip for 12 hours

      well i will agree on 3 wrong logins giving more logins attemps means at least more changes, 3 is just fine since its your acount , one i cant remember , 2 maybe this 3 a i got it , and the 12 hour yes for brut force 12 hours is nice block if you put 3 hours , in 3/6 hours he will try it.... if the acount makes the effort

      and instead BLOCKING THE IP that solved the attack its better to block the account, but at that level maybe you should pass instead the 12 hours to 6 hours, its more acurate wen you talk about ip changing or proxy changing , even so having a blacklist of proxys would not be has baddly has though and insert the ip that made the atack automactly in blacklist .i guess but u is hi to talk anything about safety .... dono just a tough.
    • blocking an account is no option ... because, for example: i try to login into your account, than your account will be blocked ... and you get killed or farmed or something else because you are not able to defend yourself ingame

      and setting the account in vacation mode is also no option because, everyone can put your account everytime you get free into vacation if someone still try to login into your account --> so playing is not possible anymore
    • ure right eleria.
      i think it's ok as it is now.

      as long as passwords arent saved plain text in the database and then send as unencrypted mail to you (like one of the biggest german browsergames developer does) everything is fine. and i dont remember ogame sending me my password plaintext ;)
    • yeah and how many registered users do you loose through such an annoying captcha?

      btw w/o ip block or with many proxies a computer can get all right combinations as well (or there have to be MANY different pictures but who is faster: the guy who adds the pictures or the computer?)

      so there is no GOOD captcha.

      captchas are somewhat a paradox.
      a good captcha stops a computer to get through.
      a captcha that does this annoys a user.
      a captcha that annoys the user isn't a good captcha.
    • My argument is against the IP blocking. Those ISPs who use NAT to get more users than they otherwise would would cause large portions of users to be banned because one of them got a password wrong too many times.
      Also people playing from a network of some sort would all suffer if one user messed up too many times.
      How does the system work if there are multiple invalid login attempts from different users on the same network? Technically they would come from the same IP, even though they are different people and different users. Once they hit ten wrong attempts, will all of them be blocked?
      What would happen to those users that are successfully logged in at that point? Would they be kicked out?
      And the IP block is almost as bad as account blocking since still innocent users will be likely to be hit in their absence due to someone making too many mistakes.
      I think a user ban would be more appropriate but implement a system where the user's account is made unhittable (like a vacation mode for a normal temp ban, except without the stopped mines).

      Skeksys

      (Currently blocked after one attempt at my password)
    • iguypouf wrote:

      The IP is not allowed to log IN THE SPECIFIC ACCOUNT that received bad attempts. The IP is not banned for all other accounts.
      Very true ^^ The new protection should only help people. As long as you know your password and don't mistype it you should never have any problems with this.


      Hunter