Jump to content

Recommended Posts

  • Bronze
1 hour ago, emanuel said:

Its about client side bro, i wanna know if its possibile to stop brute force on login client side 

https://en.wikipedia.org/wiki/Salt_(cryptography)

Reading/googling before commenting can do wonders mate :)

 

Basically, having a hash generator in client & server side with symmetric encryption methods can significantly minimize the chance of successful bruteforce.

For example, in client you'll have the salt encrypt method, it will convert the login data into a one way hash.

and server will check if the hashed data equivalent to the database data.

server side check, example:

if (clientLoginHashedData is not equal encrypt(databaseLoginData)

{

return false;

}

 

If you're interested i can code for you such a system(not free).

Good luck.

Link to comment
Share on other sites

Acum 5 ore, metin2-factory a spus:

https://en.wikipedia.org/wiki/Salt_(cryptography)

Reading/googling before commenting can do wonders mate :)

 

Basically, having a hash generator in client & server side with symmetric encryption methods can significantly minimize the chance of successful bruteforce.

For example, in client you'll have the salt encrypt method, it will convert the login data into a one way hash.

and server will check if the hashed data equivalent to the database data.

server side check, example:

if (clientLoginHashedData is not equal encrypt(databaseLoginData)

{

return false;

}

 

If you're interested i can code for you such a system(not free).

Good luck.

know not free,can you prove you'r method block brute force ?

Link to comment
Share on other sites

  • Premium

It doesn't block brute-force, it makes the brute-force atempts useless because the password storage method is different.

Yet, they can unpack your client, view the salt (I'm considering it is the same for all accounts) and adapt their brute-force.

You should make an unique salt for each account, and use to make a hash (new versions of sha are nice).

You can do like you said also, but it shouldn't be your first line of defense, blocking ip + hwid for 30min after 5wrong logins atempts in the last 5minutes for example.

You can also implement 2-step auth on your server, check Google authenticator.

  • Love 1
Link to comment
Share on other sites

  • Bronze
14 hours ago, tierrilopes said:

It doesn't block brute-force, it makes the brute-force atempts useless because the password storage method is different.

Yet, they can unpack your client, view the salt (I'm considering it is the same for all accounts) and adapt their brute-force.

You should make an unique salt for each account, and use to make a hash (new versions of sha are nice).

You can do like you said also, but it shouldn't be your first line of defense, blocking ip + hwid for 30min after 5wrong logins atempts in the last 5minutes for example.

You can also implement 2-step auth on your server, check Google authenticator.

2-step auth is a great idea as well, but entering a 2nd password with every entrance can hurt the user experience so i'm not sure about that(i'm not a UX expert xD).

blocking ip + hwid is too much(why the rest of the family has to suffer if one is being a jackass?). blocking hwid can be bypassed aswell if i'm not mistaken? i know

that mac address can be spoofed for sure.

i'd go with the unique salt per account, or, make a very intuitive and user friendly 2-step auth system.

GL :)

Link to comment
Share on other sites

  • Premium

Yeah, both hwid and ip can be bypassed sadly. About hwid it could get more then just the mac address, ids from other parts aswell, I'm just not sure where privacy could start being an issue

I used unique salt for each account, inspired by the ips account management.

About 2step you're right, its good but can be annoying. Maybe ask it only for critical operations like change email, password?

And for new devices, keeping a log of what devices are used to log in. Then for known devices ask only once every 30 days? That should reduce annoyance

  • Love 1
Link to comment
Share on other sites

  • Bot

Change the packet namens, encrypt the packets better, nop the function out, that gives the informations to python like "yes, the data was right, user will be logged in now".

But a 100% solution you won't find here, until you programme a serverside captcha that is encrypted, that will be shown after 5 fails.

 

I hope, that I am not that wrong..

 

King Regards

Cyber

english_banner.gif

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now

Announcements



×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.