Bruteforce protection

[Logan]

How about a combo approach?

After X failed attempts, present an image verification code in the login panel for the next N minutes/days for the IP that requested login with the bad password.

In this case, the people using the same IP (proxy or intranet), might start seeing the image verification code even the first time they see the login form sometime, but if it is a real person typing info into the form, entering the verification code wouldn't be too much of a hassle.

You could even add a third login level that would optionally suspend logins from the IP if X consecutive failures occurred when the verification code is enabled.

Very nice suggestion, that would be a lot more effective than locking accounts... well for non-humans that is.

[marcele]

Whilst it's true that IPB stores the MD5 hashes with a salt, the possibility of a brute force attack still remains.

The DB stores the password as md5( md5( password ) . salt )

During log in, the member is loaded from converge and the salt loaded. The log in then checks for: md5( $entered_password ) . $salt_from_db );

A brute force application can run through a list and effectively pass $entered_password through to the log in module.

Thanks Matt for explaining things to bfarber .. Because programs like accessdiver use your own post form .. it also uses all your application logic .. (your form can't recognise between a normal user and a bot) ..

[bfarber]

Ok, yes, brute force through the login form itself is possible (dependent upon the user's password naturally). I think I was following a different train of thought when I was responding about brute force attempts.

I was referring to brute force attempts in general, based on this comment

PS: Still i think it should be implemented into IPB - Invision already is a very insecure BB (e.g. MD5 hash storage = sh*t compared to vBulletins...) - I think this would at least stop the bruteforcers..

In other terms, I was reffering to taking the hash itself and brute-forcing it (which many of the "md5 cracking" sites are actually doing). You submit a valid md5 hash, it runs through a huge database of hashes until you have the password. This password it gives you however wouldn't be a valid one you could submit through the login form and get logged in. I've heard a lot of people say you can take the hash and put it through the database and get the password from it. *This* is what I was really saying isn't possible. I think I just misinterpreted what you were referring to with the brute force attempts.

*Sorry for my misunderstanding of what you were saying. You did clarify after my first post and it went in one ear and out the other :blush: * :lol: