Forum login failure is forever



  • There's one of those fun sites that posts new stuff on a daily basis. You can comment it, but not directly on the page - you have to go to the site's forum.

    I created an account about 2 years ago, and have used it maybe twice. Then I forgot the password. 

    Last Tuesday I felt an urge to actually post something on the forum. First attempt - fail, second - fail, so I click on "I forgot the password, give me another one" link. 

    The forum tells me then something along: You failed 10 times, and your account is blocked for 16 hours.

    Gee, why? Well, it counted ALL the occurrences when I tried to log in and failed since last succesful login. Which was about a year ago.

    I found the new, random password in my maibox and an "activate" link. I clicked, I entered the password, and... "You can login in 15 hours 56 minutes."

    So basically, I could just try to enter all usernames I see on the forum frontpage, and 10 times some gibberish, and they will be all fucked. Am I right?



  • Yup!

    Considering the kind of protection this website got (since the Twitter thingie maybe?) , it may be protected against that, so you could only try a couple of usernames from one IP in a short period, but I doubt that, so the answer to your question is basically:

    Yup!



  •  Bank in our country has similar protection, so anyone can block huge amount of accounts i guess. Account names are numbers, probably increasing by 1, like icq accounts, so its easier :).



  • Bank here gives you three tries before they declare you Fucked and require you to get new credentials via snailmail.

    That's good, I suppose.

    Small detail: if you fail twice, you can re-GET the login page, (as opposed to refresh, see), and your failcounter is set to 0 again. So you can try for as long as you want. It was a bug I discovered when I mistyped my pw twice and didn't want to risk a third typo.

    Maybe I should tell them. Or maybe it's moot because auto-posting to a login form is not a very likely point of attack anyway.



  • @rohypnol said:

    Yup!

    Considering the kind of protection this website got (since the Twitter thingie maybe?) , it may be protected against that, so you could only try a couple of usernames from one IP in a short period, but I doubt that, so the answer to your question is basically:

    Yup!

    Correction: everyone but the web administrator.

    You can bet your bottom dollar (whatever that means) that the server admin has a way to unlock all locked accounts, even while "locked out" him/herself.  That is, the web admin will have a way to access the underlying data which doesn't use the web password, or else doesn't use the same failed password access lock.  It's the way these things are designed - except, of course, when the product authors are trying to get featured on this site.

    Now, it is entirely possible that the web administrator may not *know* how to do that.  But it's far more likely that the web admin wouldn't even think to check on how many accounts were locked in that manner even if there were no posts for a week.



  • @dhromed said:

    Bank here gives you three tries before they declare you Fucked and require you to get new credentials via snailmail.

    That's good, I suppose.

    Small detail: if you fail twice, you can re-GET the login page, (as opposed to refresh, see), and your failcounter is set to 0 again. So you can try for as long as you want. It was a bug I discovered when I mistyped my pw twice and didn't want to risk a third typo.

    Maybe I should tell them. Or maybe it's moot because auto-posting to a login form is not a very likely point of attack anyway.

     

    Sounds interesting, my bank also gives 3 tries. How do you re-GET a login page? And how did you know it was set to 0?



  • @Quincy5 said:

    How do you re-GET a login page?
     

    Select address bar, hit Enter.

    @Quincy5 said:

    And how did you know it was set to 0?

    Technically I don't. I think my pseudo-third try was correct, so I wasn't able to test the counter's robustness. There might a database that logs it, but for what it's worth, all the red blinkenden lights shouting WARNNG EPIC FAIL IMMINENT LOL were gone.


     



  • @dhromed said:

    @Quincy5 said:

    How do you re-GET a login page?
     

    Select address bar, hit Enter.

     

    Shift + refresh works also.



  • @Kiss me I'm Polish said:

    I could just try to enter all usernames I see on the forum frontpage, and 10 times some gibberish, and they will be all fucked. Am I right?
    That's a common security measure.  I think the logic is, the denial-of-service it enables is not as bad as the security hole it covers up.  Also, there's less in it for a potential attacker.



  • @amischiefr said:

    @dhromed said:

    @Quincy5 said:

    How do you re-GET a login page?
     

    Select address bar, hit Enter.

     

    Shift + refresh works also.

     

    Ahem.

    - Shift + F5 is not a key in FFX

    - Shift + F5 is not a key in IE

    - Shift + F5 is not a key in Opera

    - Shift + F5 is a key in Chrome, and performs an ordinary Refresh, likely with cache override, but that's irrelevant.



  • @dhromed said:

    @amischiefr said:

    @dhromed said:

    @Quincy5 said:

    How do you re-GET a login page?
     

    Select address bar, hit Enter.

     

    Shift + refresh works also.

     

    Ahem.

    - Shift + F5 is not a key in FFX

    - Shift + F5 is not a key in IE

    - Shift + F5 is not a key in Opera

    - Shift + F5 is a key in Chrome, and performs an ordinary Refresh, likely with cache override, but that's irrelevant.

     

     

    Maybe he means Shift + click refresh button



  • I think he mean to click Shift + Refresh and then * 0085CF85 Module(sqlservr+0045CF85) (CStackDump::GetContextAndDump+0000002E Line 1855+00000000)



  • @dhromed said:

    - Shift + F5 is not a key in FFX

    - Shift + F5 is not a key in IE

    - Shift + F5 is not a key in Opera

    - Shift + F5 is a key in Chrome, and performs an ordinary Refresh, likely with cache override, but that's irrelevant.

     

    If you want to use F5 you need to use Ctrl + F5



  • @dhromed said:

    @amischiefr said:

    @dhromed said:

    @Quincy5 said:

    How do you re-GET a login page?
     

    Select address bar, hit Enter.

     

    Shift + refresh works also.

     

    Ahem.

    - Shift + F5 is not a key in FFX

    - Shift + F5 is not a key in IE

    - Shift + F5 is not a key in Opera

    - Shift + F5 is a key in Chrome, and performs an ordinary Refresh, likely with cache override, but that's irrelevant.

    F5? Wtf? I've always used Shift + R in FF.



  • Perhaps TRWTF is that this thread is about how to do refresh in a browser?



  • @cablecar said:

    @dhromed said:

    @amischiefr said:

    @dhromed said:

    @Quincy5 said:

    How do you re-GET a login page?
     

    Select address bar, hit Enter.

     

    Shift + refresh works also.

     

    Ahem.

    - Shift + F5 is not a key in FFX

    - Shift + F5 is not a key in IE

    - Shift + F5 is not a key in Opera

    - Shift + F5 is a key in Chrome, and performs an ordinary Refresh, likely with cache override, but that's irrelevant.

    F5? Wtf? I've always used Shift + R in FF.

    Shift + R?

     

    If I want to rerequest a page without submitting any POST data ("re-GET" in dhromed's terms) I do Ctrl + L (selects the location bar) then enter.

    If I want to refresh normally and resend POST data, I do F5.

    If I want to refresh, resend any POST data and not use anything from cache, I do Ctrl + Shift + R.

    Unfortunately, Firefox caches DNS lookups which is a pain in the ass if you are a web developer, so I had to write an extension that lets me dump the entire list of DNS cache entries.



  • @cablecar said:

    @dhromed said:

    @amischiefr said:

    @dhromed said:

    @Quincy5 said:

    How do you re-GET a login page?
     

    Select address bar, hit Enter.

     

    Shift + refresh works also.

     

    Ahem.

    - Shift + F5 is not a key in FFX

    - Shift + F5 is not a key in IE

    - Shift + F5 is not a key in Opera

    - Shift + F5 is a key in Chrome, and performs an ordinary Refresh, likely with cache override, but that's irrelevant.

    F5? Wtf? I've always used Shift + R in FF.

     

    you didn't say shift + r, you said shift + refresh.  F5 is pretty much the standard "refresh" button in UIs.



  • @morbiuswilters said:

    Unfortunately, Firefox caches DNS lookups which is a pain in the ass if you are a web developer, so I had to write an extension that lets me dump the entire list of DNS cache entries.
     

    Just curious, why would that be a problem?



  • @tster said:

    you didn't say shift + r, you said shift + refresh.  F5 is pretty much the standard "refresh" button in UIs.
     

    You know what's funny?

    SQL Manager Studio 2005 is -- as you may have realized -- the unholy component-dragged-together frankensteinoid merger of Enterprise Manager and Query Analyzer, and the result is that in a "QA" tab, youuse F5, but in a "EM" table view tab, you use Ctrl+R.

    F5? Wtf? I've always used Shift + R in FF.

    FindAsYouType is among the most awesome things to hit the UI scene recently*, so with my settings, Shift-R will search for R on the page. I can only guess why this isn't turned on by default, and the archaic Shift-R key retired.

     

     

    *) just like middle button tab control, which many tabbed apps have already adopted, such as browsers, foobar2000, and SQLManStudio2005.



  • @tster said:

    @cablecar said:

    F5? Wtf? I've always used Shift + R in FF.
     

    you didn't say shift + r, you said shift + refresh. 

    I think you'll find I didn't ;D



  • You think that's bad? My ISP stores the number of password attempts in a cookie. I found myself curious one day when my password didn't seem to work and it locked me out for 3 attempts and tried lowering the cookie, and it let me try 3 more times, then I tried lowering it to -100000, giving me plenty of time to try passwords. I found myself wondering whether they expected brute-force attempts to be friendly enough to maintain their cookies...

    Turned out I had the right password all along but their login page interprets every login as a failed login unless you have javascript turned on (And I use NoScript). Worked it out because I found mtyself wondering if they'd only support IE and tried that.

    I'm not entirely certain which of those is the most fucked up... the cookie-based lockouts or the javascript-only login that doesn't complain if you don't have javascript...



  • <script language=javascript>

    if (NoScript) alert("You need to have javascript turned on to log in.");

    </script>



  • @fyjham said:

    I'm not entirely certain which of those is the most fucked up... the cookie-based lockouts or the javascript-only login that doesn't complain if you don't have javascript...

    Definitely the former.  The latter is a bit sloppy, but not having JS enabled in your browser in this day and age is a pretty big WTF.



  • @morbiuswilters said:

    The latter is a bit sloppy, but not having JS enabled in your browser in this day and age is a pretty big WTF.

    Oh, definately I'd have no objection to them going "You must have javascript turned on to log in" if you don't turn it on, or even having it on the fail page as something to check, but yeah I do disable javascript using NoScript and I whitelist sites that need to use it. A combination of worry about XSS and annoying javascript has pushed me to it, and while I'm fine with a site that says "Go turn on your javascript or go away" one which flat out tells you that your password is incorrect and they have locked your account out for invalid passwords (Until you edit cookie at least :P) and the cause is javascript being turned off... that's a different level of stupid.



  • @fyjham said:

    @morbiuswilters said:

    The latter is a bit sloppy, but not having JS enabled in your browser in this day and age is a pretty big WTF.

    Oh, definately I'd have no objection to them going "You must have javascript turned on to log in" if you don't turn it on, or even having it on the fail page as something to check, but yeah I do disable javascript using NoScript and I whitelist sites that need to use it. A combination of worry about XSS and annoying javascript has pushed me to it, and while I'm fine with a site that says "Go turn on your javascript or go away" one which flat out tells you that your password is incorrect and they have locked your account out for invalid passwords (Until you edit cookie at least :P) and the cause is javascript being turned off... that's a different level of stupid.

    I use NoScript as well, but I generally assume if a site is not functioning correctly I need to start whitelisting domains.  Like I said, it's sloppy, but definitely nothing like trying to prevent brute force attacks through a cookie counter.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.