[WEB SECURITY] Brute Force authentication attack

Mark Mcdonald mmcdonald at staff.iinet.net.au
Sun Jul 2 21:43:29 EDT 2006


You’d be surprised how easy it is to defeat most captchas...

 

PWNtcha can defeat heaps of common systems found on the net.

http://sam.zoy.org/pwntcha/

 

 

  _____  

From: skarvin [mailto:skarvin at gmail.com] 
Sent: Saturday, July 01, 2006 3:39 PM
To: Chris Weber
Cc: Jeremiah Grossman; Web Security
Subject: Re: [WEB SECURITY] Brute Force authentication attack

 

Hi,

If you use a very simple captcha, maybe you'll be vulnerable to brute force attacks by OCR techniques.


On 6/30/06, Chris Weber <chris at lookout.net> wrote:
> True is that.  Also "Human Interactive Proof" or HIP, CAPTCHA being more
> common, I think.
> 
> -----Original Message-----
> From: Jeremiah Grossman [mailto: jeremiah at whitehatsec.com <mailto:jeremiah at whitehatsec.com> ]
> Sent: Friday, June 30, 2006 1:33 PM
> To: Web Security
> Subject: Re: [WEB SECURITY] Brute Force authentication attack
> 
> We all get those from time to time. :) 
> 
> CAPTCHA
> "completely automated public Turing test to tell computers and humans apart"
> 
> On Jun 30, 2006, at 10:41 AM, Schmidt, Albert E wrote:
> 
> > I am definitely having a senior moment.  Can anybody please tell me 
> > what it is called when you have to enter a code displayed in a picture
> > when authenticating?  I know this is a control against brute force
> > hacking, but for the life of me I cannot remember what it is called. 
> >
> > ----------------------------------------------------------------------
> > ------
> > The Web Security Mailing List:
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/ 
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> 
> 
> ---------------------------------------------------------------------------- 
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 
> ---------------------------------------------------------------------------- 
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 



-- 
Un saludo, 

skarvin
skarvin.blogspot <http://skarvin.blogspot.com> .com <http://skarvin.blogspot.com>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060703/368605c4/attachment.html>


More information about the websecurity mailing list