With this Lifestuff example you have to logout, but I wonder if there is also a safety mechanism that logs you out after a certain time period, like 10 minutes (banks have this safety feature)? I can imagine people going to an publicplace or friends house and logging in, and forgetting to log out.
Login: In the past David said that when you login with the wrong creds you’ll be guided to a bogus account, but what if someone tries to bruteforce attack and login? Is there something like a time out mechanism to stop an bruteforce attack? If so will the user be able to set an timeframe like: If I login with the wrong password or somebody tries to bruteforce attack my account, let them have 1 login try per 30 minutes. This way it becomes time consuming to try to hack someone (BTW this is not my bright idea, but it’s how SQRL works).
If you want to bruteforce passwords you need both username and PIN. That way the right personal file is requested out of the network. If you mistype (or don’t know) the username and PIN you end up with a different “personal file” actually a dummie with nothing in it. So good luck bruteforcing that .
An account means you’ll have a “personal file” with all your encryption keys and the data atlas to your personal files. To “log on” to the network you’ll provide a username: PIN and password. The username and PIN are used to derive a hash, and that hash is the address of your personal file in the network. So when you “log on” to the network, your personal Chunk will come your way and is decrypted locally with your password. This password will never leave your computer.
I really wonder about the implications, because if an attacker could do something like this:
Username:Polpolrene Pin:1000 pincodes per second with a program.
Who knows they might eventually catch something. My uneducated idea about pin: is that most people will have a 4 digit pin, because that’s what we have grown used too (@least with banking).
Imagine if a program can fire 60000 pincode per minute, to a username. What if an attacker had another feature to check the 60000 Polpolrene accounts the bruteforce program opened to check if their is anything valuable in them? If the program doesn’t find anything in the first 60K accounts it just moves on to the next 60K. Within a week it could have gone over millions of Polpolrene accounts.
What I’m trying to say is, will there be a time that the SAFE Network says “Dude you have logged into 86.4 million Polpolrene accounts already, try again in (time indicated by user), thank you”.
The username I use on SAFE doesn’t have to be my log in. So I reply on a forum on SAFE using polpolrene but I logged in using something like “allbananasareyellow##” with PIN: 5736. So if you want to bruteforce my account you have to guess my username and PIN both at the same time to get my personal file out of the network. And guess what?? I won’t share my username with anyone. Although people might see me on the network as polpolrene, I logged on using the bananthing. And you (or a bot) doesn’t have a clue if you get it right. So even if I told you that my username was something with bananas and yellow, your bot would just try random combinations, and each time it get’s a dummie when it’s wrong. So next step is to bruteforce my password without knowing if the username and PIN are right.
I wondered before, asked some of the questions. David replied…
Unless you actually know a username and pin, you are not going to be able to brute force by any meaningful standard. Only then do you stand a chance, and then it comes down to the usual “how hard is it to guess” issue, so not easy unless the user used a simple password.
If you don’t know the username and pin, its really hard, because you have to try bruteforcing the password without knowing if you have hit an account. The only way you’ll know you hit a real account after you have successfully guessed the password. That means you are having to brute-force each possible combination until you think you might have tried enough passwords. You give up and move to the next, but you won’t even know that you haven’t already tried the correct username and pin, but just gave up too soon.
So protect your username and pin, and use a half decent password, just this once
Hmmmm yes now I remember that this question was asking before.
I’m thinking about attackers using bruteforce programs or even the SAFE Network to run their “evil bruteforce app” on.
[quote=“happybeing, post:5, topic:5924”]
So protect your username and pin, and use a half decent password, just this once
[/quote] Madly enough I usually use GRC | Ultra High Security Password Generator to get a new password. Unfortunately not everybody will do that.
I understand this, and that’s what I was answering. Your point here suggests you haven’t understood what I said. Happy to clarify if you want to explain what you think I’m saying that doesn’t take account of someone using a brute force attack without knowing both username and pin.
Certainly I think its a good idea for account registration apps to have some limits or hints to encourage decent usernames and pins. I think that was planned from early on. I think even a very relaxed process would catch this ‘1’
.
