Brute Force Protection

Francolino · Sep 27th 2011, 8:07pm

Hello,

Since this weekend the GameForge activated a brute force protection to avoid account hacks.

Current facts :

- 10 logins with wrong password blocks the IP for 3 hours.
- You can login again when you change the IP (for example restart your router, login from your neighbour ... )
- Login via Gameforge.com works only you change the IP as before.

Regards, Francolino

Guras · Sep 27th 2011, 9:34pm

Hello
One sugestion from me
Can you ad a meter for unautorized tries of logon?
This would surly make players afraid when they see lots of this tries
Regards
Guras

marshen · Sep 28th 2011, 12:13am

thats what you dont want to give to someone who brute forces.

just an example why you shouldn't show messages for security features.

password recovery via email. you show the user "no account registered with this email". someone who wants to have the mails can now try every mail he likes and in return he gets exact information if the email is valid or not.
so it'll be better to tell the user "an email has been send".

thats nearly the same with the login.

Eleria · Sep 28th 2011, 8:08am

i'm with marshen

for security reasons it's better not to tell too much to the user
you should not use any visible help which could make brute force attacking easier.

- showing the count of wrong logins is not good
- showing which email is registered and which NOT is also a bad idea

better you say something like:

the email has been send, if you don't get an email in the next 30 minutes try password recovery again.

edit: 10 wrong logins and than block ip for 3 hours?
in my opinion it's very slack ... maybe it should be 3 wrong logins block ip for 12 hours

iguypouf · Sep 28th 2011, 1:11pm

Nothing to say excepts... Only now ?

Guras · Sep 28th 2011, 1:53pm

Well i ment that this meter show bad logins after we login to our acc
And i agree 10 logins with wrong password should be set max to 5

5vor12 · Sep 28th 2011, 5:23pm

I do not see the sense of this, if somebody tried hard to make a brute
force attack, it doesn't matter to change the IP before too, e.g. automatical random proxy usage. Quite in contrary, a large number of proxy IPs would be banned if somebody do this and even more users (using this proxy without meaning ill) are banned too. It would be more effective to place a Captcha after first faild login.

Eleria · Sep 28th 2011, 7:41pm

uhhhh captcha after first fail is a very good idea !!!!!

marshen · Sep 28th 2011, 8:20pm

Eleria wrote:

uhhhh captcha after first fail is a very good idea !!!!!

the problem about captchas is:
a capture that a computer cant guess is one that has no solution
a capture that a human can guess is also guessable with a more or less simple algorithm.

a programmer who wants to get past a captcha will come through.

so the one million dollar question is:

do you want to annoy users with easy captchas which are easily hackable or do you want to annoy users with strong captchas that even the users can't guess right each time or do you use no captchas because it doesn't help at all?

ps: ip blocks are better than captchas to stop brute force. i don't think that both is necessary.

RedFox · Sep 28th 2011, 9:35pm

Eleria wrote:

i'm with marshen

for security reasons it's better not to tell too much to the user
you should not use any visible help which could make brute force attacking easier.

- showing the count of wrong logins is not good
- showing which email is registered and which NOT is also a bad idea

better you say something like:

the email has been send, if you don't get an email in the next 30 minutes try password recovery again.

edit: 10 wrong logins and than block ip for 3 hours?
in my opinion it's very slack ... maybe it should be 3 wrong logins block ip for 12 hours

well i will agree on 3 wrong logins giving more logins attemps means at least more changes, 3 is just fine since its your acount , one i cant remember , 2 maybe this 3 a i got it , and the 12 hour yes for brut force 12 hours is nice block if you put 3 hours , in 3/6 hours he will try it.... if the acount makes the effort

and instead BLOCKING THE IP that solved the attack its better to block the account, but at that level maybe you should pass instead the 12 hours to 6 hours, its more acurate wen you talk about ip changing or proxy changing , even so having a blacklist of proxys would not be has baddly has though and insert the ip that made the atack automactly in blacklist .i guess but u is hi to talk anything about safety .... dono just a tough.

Eleria · Sep 28th 2011, 10:29pm

blocking an account is no option ... because, for example: i try to login into your account, than your account will be blocked ... and you get killed or farmed or something else because you are not able to defend yourself ingame

and setting the account in vacation mode is also no option because, everyone can put your account everytime you get free into vacation if someone still try to login into your account --> so playing is not possible anymore

marshen · Sep 29th 2011, 11:10am

ure right eleria.
i think it's ok as it is now.

as long as passwords arent saved plain text in the database and then send as unencrypted mail to you (like one of the biggest german browsergames developer does) everything is fine. and i dont remember ogame sending me my password plaintext

5vor12 · Sep 29th 2011, 8:05pm

marshen wrote:

a capture that a human can guess is also guessable with a more or less simple algorithm.

Oh I don't think so, have a look at ASIRRA

marshen · Sep 29th 2011, 8:28pm

yeah and how many registered users do you loose through such an annoying captcha?

btw w/o ip block or with many proxies a computer can get all right combinations as well (or there have to be MANY different pictures but who is faster: the guy who adds the pictures or the computer?)

so there is no GOOD captcha.

captchas are somewhat a paradox.
a good captcha stops a computer to get through.
a captcha that does this annoys a user.
a captcha that annoys the user isn't a good captcha.

5vor12 · Sep 29th 2011, 8:38pm

How often a normal user enters the wrong password? Where is the problem to do in such exception something annoying?

marshen · Sep 29th 2011, 10:18pm

5vor12 wrote:

How often a normal user enters the wrong password? Where is the problem to do in such exception something annoying?

maybe there is none but it doesn't help.

spa856 · Sep 30th 2011, 9:09pm

Nice idea.

Skeksys · Nov 1st 2011, 8:35am

My argument is against the IP blocking. Those ISPs who use NAT to get more users than they otherwise would would cause large portions of users to be banned because one of them got a password wrong too many times.
Also people playing from a network of some sort would all suffer if one user messed up too many times.
How does the system work if there are multiple invalid login attempts from different users on the same network? Technically they would come from the same IP, even though they are different people and different users. Once they hit ten wrong attempts, will all of them be blocked?
What would happen to those users that are successfully logged in at that point? Would they be kicked out?
And the IP block is almost as bad as account blocking since still innocent users will be likely to be hit in their absence due to someone making too many mistakes.
I think a user ban would be more appropriate but implement a system where the user's account is made unhittable (like a vacation mode for a normal temp ban, except without the stopped mines).

Skeksys

(Currently blocked after one attempt at my password)

iguypouf · Nov 2nd 2011, 4:13pm

The IP is not allowed to log IN THE SPECIFIC ACCOUNT that received bad attempts. The IP is not banned for all other accounts.

Hunter0293 · Nov 4th 2011, 1:48am

iguypouf wrote:

The IP is not allowed to log IN THE SPECIFIC ACCOUNT that received bad attempts. The IP is not banned for all other accounts.

Very true The new protection should only help people. As long as you know your password and don't mistype it you should never have any problems with this.

Hunter

Share