Early last week, a young hacker discovered that Twitter permitted an unlimited number of failed login attempts. He wrote a program to try lots of possible passwords on a given account, and eventually got in. This technique for gaining unauthorized access to someone’s login is generally referred to as a brute force password attack.
Before he was finished, representatives of a broad cross-section of North American society were involved: President-Elect Barack Obama, CNN correspondent Rick Sanchez, Digg founder Kevin Rose, Britney Spears, and Miley Cyrus, as well as the official feeds for Facebook, CBS News, Fox News, and more.
Could this happen at your company? No? Think again. Ask about the details, and be persistent.
Depending on the business use case, a broadly-implemented best practice is to have the login system respond to successful and unsuccessful (a bad password or invalid account) attempts with equal delay, displaying a generic message about failures, and to limit the number of unsuccessful attempts permitted on any given account (for example, lock the account after 3 consecutive failures).
Bruce Schneier wrote roughly short notice about the Twitter incident which generated a long collection of comments.
Will your authentication system support multiple authentication attempts within a very small period of time? What if someone sends thousands of authentication attempts on an account in a second? Or two within .005 seconds? Even security-centric software like SSH have been vulnerable to well-timed authentication attacks.
Take the time to review the discussion that follows Bruce Schneier’s blog entry. Or have your authentication guru do the same. Maybe we are not as good at logging our customers, partners, and employees into our systems as we thought?
— References —
“Weak Password Brings ‘Happiness’ to Twitter Hacker” by Kim Zetter http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html
Twitter background: http://en.wikipedia.org/wiki/Twitter
“Bad Password Security at Twitter” Bruce Schneier http://www.schneier.com/blog/archives/2009/01/bad_password_se.html