Does anyone have a good source on brute force and what is and isn't a good idea? I came across the below in a rather important website and am wondering if I should push harder for the to change it.
How secure is a randomized 5 digit pin where you get unlimited guesses but after 10 guesses the pin is reset?
Guessing the pin correctly gets you enough information to open a bank account.
Assuming a system like the above exists, would you consider it a security vulnerability?
What does the system hold? Your library loan history or nuclear weapon launch codes?
Assuming it’s reset every 10 attempts, you have lost keyspace and gained random odds. 1:1000000 of getting the password right, 1:500k on average. Assuming I can perform one attempt per second, about 139 hours to successfully brute force a single account. One second is probably pessimistic, most systems are capable of serving much higher rates.
Unless you have fail2ban or MFA, consider the pin a formality.
I can't give full details of what is within accounts without potential exposure of the company. So I called a local bank and asked what I needed to set up an account. All the information required was part of a potential breach.
Is there a rate limit where protecting information with 5 digits is ok?
I would say 1m, rather than 10k, as the value rolls every 10 attempts, the true odds are slightly less than 1:1m, but only because every 9th attempt is 1:(1m-9) and 8th is 1:(1m-8), this is a minute difference.
Rate limits and account lockouts create accessibility and availability issues, I’m not aware of any real world case studies where they have been abused, my guess is demographics are important (a student is more likely to do it to a school rather than a random on the street doing it to a finance company). Though, if usernames are possible to enumerate, you should still consider the risk of someone doing it at scale as a dos.
What is / is not okay is probably largely defined by any security frameworks that you’re required to adhere to - in Australian Gov there is the Information security manual (google ISM ACSC). It states that password complexity goes up if you do not have MFA, and that without it credentials should be 14+ characters long.
Given your assertion that a breach would be possible, I would strongly suggest that your current methodology is dangerous. If you can enumerate usernames doubly so. Are you able to script a proof of concept brute force? Tools like hydra do this, but I prefer python3/requests.
that does little to counter the real problem, as the chance of successfully guessing the pin on first try is still 1/1e5, which gives ~69k attempts for a 50% chance of correctly guess that pin, Which is like ~2 hr at 10 pin attempts/second. Having request throttling helps tremendously, but shouldn't be the only deterrence in place. Moreover it should be implemented in a way that it does not become a way for DoS attacks.
How secure is a randomized 5 digit pin where you get unlimited guesses but after 10 guesses the pin is reset?
Guessing the pin correctly gets you enough information to open a bank account.
Assuming a system like the above exists, would you consider it a security vulnerability?