Bruteforce accounts?


#1

Hi there, I just watched [MaidSafe Authentication and API Specification][1] [1]: https://www.youtube.com/watch?v=HGm8fX88oMUthis by @dallyshalla
Some lines the code says: "Sorry, account with given credentials already exists"
So, if I’m an evil hacker and have a table of say, 2 milj. logins from hacked websites. I’m just gonna create an engine which tries to create new accounts on Maidsafe. If I get a reply like this back, I know I have found a username/pin combination. Next step is to bruteforce that login with a table of passwords. Finally after a lot of tries maybe I find a password and there you go, I hacked into a Maidsafe account.

Or is the system protected from these sort of attacks? A lot of people will probably use the same login name as for Google or Yahoo.


Question About Lifestuff Login/out
#2

Are you talking about the test you are running?


#3

You will not get a reply like this on creating accounts, this is beta test info. If you do try lots of logins to accounts you will always get what looks like a valid login id to brute force. If you do not have the correct name/pin it will be a false packet with no decrypted counterpart.

If people try using really really simple keywords, password and pin (say 1 for everything) then they will get hacked for sure though.


Question About Lifestuff Login/out
#4

No, I watched the video linked above. I learned that for every login users always will get a package back. Even if the username and PIN don’t link to a valid adress, the network will create a “Dummy” so hackers don’t know if they have a real login or a Dummy. That’s great protection. But the lines I talk about above are in the code shown in the video. So to me it seems that the network will reply if someone tries to create an account with a user/PIN already choosen.


#5

Aha, I get it. It will be out of the 1.0 version. That’s good news. See, I’m not a C++ coder but I will keep my eyes open :wink:


#6

Yes if the system did do that and report back “user exists” then it would be problematic. This is done via your account managers so trying to create multiple accounts is not easy, you need to disconnect and start again or get caught by the managers. It is pretty easy to spot that kind of behaviour in the system, so we are OK in that regard.


#7

Is it not better to prevent this through minimum requirements? No dictionary words, 10 letters&numbers and special characters.

I personally like SQRL as login scheme, because a hacker can’t bruteforce it. If you type in a wrong password, you can get a timeout of something like 10 minutes before you can try again. But like @happybeing said a while ago, maybe we’ll just have different login methods, which would be great.


#8

Oh right make it complicated and make people HATE the system. No. Do not dictate to me what my username, pin or password can be. Systems like that are aggrivating as all hell. I do not want to sit there for 15 minutes or half an hour trying different character combinations just to forget it later and lose access to my data.

I’ve used systems that require you to have a ton of requirements. “It must have special characters.” “This cannot be a dictionary word.” “This needs a number.” “This needs this, this needs that.” I understand it from a cryptographic sense but from a practical sense it can just be aggrivating.


#9

@Blindsite2k I fully agree with you that that would make it complicated. But is having a username, pin and password not allready complicated. To my knowledge there are 3 super simple ways to login soon.

BitID

SQRL

Twitters Digits

But even these three login methods have their own problems. Because if you can only login with a qrcode, through BitID and SQRL you can’t use a featurephone, allthough it would be neat if you could receive a qrcode through sms. SQRL also has a masterkey, it would be nice if you could give family&friends a backup piece of your key. Digits is from a centralized company, I don’t know if it’s opensource… Then again there is this funny thing with cellphone provider.

I’m actually hoping for an opensource Nymi solution, so that your biometric is not kept by some kind of company that can be bought up anytime, by a gov when they got enough biometric-data. Imagine being able to attach sucha device to the Maidsafe network. What would be fun is if you lost your device, you could still use a family or friends device to login, but the problem with a Nymi is not everybody would be able to afford it.


#10

So your solution to complicated login credentials is expensive tech? Riiiiight. Oh I have to remember more log in credentials OR I have to pay $80 for a new smartphone or a couple hundred for a new tablet. Yay that’s really convient. Not everyone owns a cellphone or tablet man.


#11

In terms of the passwords etc. I think we need to let people have really weak passwords if that it what they choose to accept. Just as people can lock their door or leave it open then it is up to them. If we ever could get a really smart way (safe biometrics etc.) then we can have this as options. I do think trezor type devices should be made available (I would probably do that), but not made required as many cannot afford them.

The cheap way is to require something people know (password) and when people want security then they know not to select an easy one. We go a bit further by requiring 2 keywords and a pin, but I feel that is far enough as any more is too hard to remember.

The other thing we can look at after launch is the network being able to deal with theft in terms of account recovery etc. It’s a different problem from an autonomous network though. I think the network first will be amazing and enough of a difference, without having to solve the password problem to. Every system has this issue, we can possibly improve as we are autonomous and private.

First things first :wink:


#12

Just a thought here but what about an alternative to a pin and password? What about an actual pass phrase, like a sentence or something? Or perhaps a musical phrase that could be converted into a PIN? There are lots of ways to remember codes not just letters and numbers.


#13

Yes this is a possibility and preferred by some of the devs to. I think both schemes are possible to implement at the API and have the same effect in the code underneath. If people are confident in a non English or any language phrase then great, they should be allowed.


#14

I’m sure the team are aware of the dangers of “sentences” - look up brain wallets and bitcoin stealing bots.

Isn’t it just a matter of naming anyway? What I type into the password/passphrase field will be up to me I hope?

I think people should be encouraged to use a recommended set of measures (fairly well known) to construct their passphrase / password. I think a good way is to have a recommended minimum (length, mixed case, alphanumeric, special chars etc), and a “progress bar” guide to strength, which flips from red to amber to green when people have something deemed strong enough.


#15

What might be interesting is combining characters from different languages or alphabets. Say ancient runes, celtic runes, Japanese kanji or kanas, Chinese characters, whatever, and combine that with a passphrase. You could integrate all that with say an easy click character map one selects and clicks with the mouse. Whether the user understands the characters or not doesn’t matter so long as they remember them and it would make for more interesting passwords and passphrases.


#16

Mozilla and others are out to create cheap phones.

I use to use this website:

To combine characters for passwords. The problem is not all apps/websites allow characters from different languages and you have to remember the order of the languages. IMHO these are the most secure passwords. As long as there are keyloggers, passphrases are not a good idea.


#17

Yes but don’t websites/apps on the SAFE network rely on your SAFE credentials? So the only logging in you’d do would be logging into the network. Of course you might have different logins with centralized services on the legacy internet but that’s a different set of credentials anyway.


#18

I don’t know if the current version of the Safe network support different language characters. Also new devs of the Safe network might have their own login scheme, which they might unknowingly setup without allowing different language characters.

Maybe it’s time to allow all different language characters in stead of only “anglo saksen”

Hmmmm I forgot to mention this bit, nowadays I just use Grc.com’s perfect password to generate a password. It would be nice if different language character would be added to this great password generator.


#19

Actually, I’m pretty sure its the latin alphabet which we use in english.