Big LOL! Info sent to me by Strongbox
 

I recently installed Strongbox/Throttlebox in my main sites, and today talking to their techs, they sent me this info. I thought it was very cute (and enlightening), so read on:

Typical usernames and passwords are normally 9 characters long. That means there are this many possible user names: 84,590,643,846,578,176
There are also this many possible passwords: 84,590,643,846,578,176

To successfully hack the site by brute force, the hacker has to guess a valid combination of username and password. To get the number of possible combinations he would have to try, we multiply the number of usernames he has to try by the number of passwords for each one:

7,155,577,026,378,634,231,908,944,079,486,976
pairs he has to try

At the maximum possible rate of guessing that Strongbox would allow even for a hacker using a BILLION proxies, how long would it take for them to get just one correct username/password combination? Here's how long it would take, on
average:
41,409,589,273,024,503,656,880,463 days

How long is 41,409,589,273,024,503,656,880,463
days? It's 113,450,929,515,135,626,457,207 years.

The dinosaurs roamed the earth only 65,000,000 years ago. So if tyrannosaurus rex started an attack on your site, which is protected by Strongbox, 65,000,000 years later he still would not have guessed a working user/pass.

To be more precise, there is a
99.99999999999999999% chance that he would not have gotten in after 65 million years.

Let's look at it another way:

Since dinosaurs:
65,000,000 years

Age of the earth:
4,500,000,000 years

Age of the universe:
13,700,000,000 years

Brute force Strongbox:
113,450,929,515,135,626,457,207 years


So if God had started trying to brute force your site at the same time that he created the universe, His progress bar on his brute force software still wouldn't have hit 1%.

You bought Strongbox to protect you from brute force.
It's doing that, very well. Relax and let it do its job. Strongbox may be notifying you that it is blocking a lot of IP addresses. As the emails say, those IPs are blocked. Unless the attacker lives much longer than the universe, Strongbox will keep blocking every one he tries.


YEP, I recommend Strongbox! :)

when god created the universe :1orglaugh :1orglaugh

Hhaha, very nice from them for informing you with this. :)

Going to check them out now.

the logic used above is flawed, because crackers know what words and strings are used most frequently. so that shortens the list down tremendously. secondly, just because the average is 9 does not mean you can not crack using every combination of 6 or shorter, where 6 is the usual minimum user/pass length at many sites.

not to say strongbox isnt a good solution, but their math is a bit off IMO.

They will hack your email (since the user is known) and retrieve the password.

Or else buy a database of user and pass combos from another site and see if there are any repeats, so many people use the same combo for everything.

If that was all true, it would be good, however, it's not, it's why so many sites get hacked anyway. Ray likes to exaggerate a lot to sell a product, it's fine in a way i guess.

7,155,577,026,378,634,231,908,944,079,486,976 pairs he has to try. I guess that's only if he finally gets to the last pair. What happens if he gets them on try number 4?
People win the lottery you know. I don't, but I read about them all the time.

My pet's name is on a sticky attached to the side of my monitor.

.

we use 16 character random usernames and passwords - that should take a while to guess

You definitely don't want God hacking your site.

Also the fact that t-rex could have guessed the correct combo on his second attempt...

....but I'm pretty sure the Republican party has facts to prove the earth is only 6000 years old.

Interesting post, but it sounds more like a sales pitch. Using Brute force to crack a 9 character username + 9 character password is inefficient, and a very simple - too simple actually - way to code a hack program.

A much smarter way to do it would be to first assess the users if possible to determine where most are from (say, North America). Most people use real words, real names, pet names, etc. A smarter hack would be to use the commonly used words from the North American dictionary, or most commonly used names (and pet names). Most people add "69" to the end of the name where numbers + letters are required, so a smarter program would have to take that into consideration.

With a little bit of smart coding, it would take much less time to gain access to a server then the way it is described in your post.

so...

every time you double your number of members, your security is halved.

people never guess the right password until they have tried every other possible combination.

dinosaurs with short arms that would find it physically impossible to have a wank still love porn.

There are millions of username and password combinations out there from hacked passfiles and whatnot. It's not hard to get a hold of them and find several hundred working logins if you have enough proxies and the right tools.

So if I can give you lists of Strongbox protected sites user/pass combinations, what do I win? Does that make me more powerful than God? Cool!

your site can be brute force hacked in a matter of an hour or so usually without fail. I wont expose the methodology they use but they truth is they arent randomly guessing passwords and logins, they use combos that are known to be valid. Im not saying strongbox isnt good...its the best...I use it and I strongly recommend it. But dont think for even a second that these brute force attacks are random guesses...they arent

That's why I said "on average". There's an infinitesimal chance (roughly one in 577,026,378,634,231,908,944,070) of getting one right on the first guess. There's an equal chance of guessing any particular combo last. "On average" are important words if you're going to get into the math.

Of course, even if I had forgotten those words amd I was off by a factor of a million, that doesn't change the fact that the attacker will die long before succeeding.

We also know what's used frequently and we know that six character passwords aren't good. You've made the assumption that we're stupid and we set her site up stupidly. We are not stupid, so we don't assign "password" as a password.

If we let people choose stupid passwords, they would do so, yes. Why assume that we're stupid and do that? Anyway, that was sent in regards to a query about brute force specifically. Yes, other hacks exist, especially if you run Plesk, so visitors are permitted to upload their own scripts. That's not the topic of the email.

$10,000 was the offer for hacking Strongbox.

Strongbox is very flexible and will allow for many configurations and compatibility with a lot of different third party software, some better than others. The $10,000 challenge was for any site using our recommended configuration.

If you're going to call me a liar, would you like to be a little more specific? I would appreciate it if you would either be specific about what you say I'm lying about, or apologize.

I did not say you lied, you just manipulated statistics and ignorance to have a sales pitch, which is fine i guess. What i meant has already been said in this thread. No one in their right mind takes a random bruteforce and goes from aaaaaaaaa to zzzzzzzzz. If you are saying they do, then your security courses are from, i dunno, 1980?
That challenge was also bogus. Your descriptions make it so you won't pay anyone anything, you just have that challenge. Similar to how vivid offers multi milion dollar contracts to celebs that mostly don't go through and are a sales pitch.
Just for laughs, what are the sites that use "strongbox recommended configuration" ?

It's a very good sales pitch, and an even better product.
What matters much more than the math is the fact that the owner of the product actually cares about whether or not his clients are protected.
That means if anyone did ever successfully attack the software, it would evolve and prevent future attacks.
With software you can not ever account for the unknown... You can update to overcome anything that eventually becomes known.
Clearly Stronbox does a good job with that.

I do not make a penny from strongbox. I have never met Raymor.
Ask around and read his posts. That tells you all you need to know.

There is no doubt that you are correct and it would be virtually impossible to hack a user combo through Strongbox which I know to be a superior product having used it before. But this is GFY and there is a measure of shit we are almost obligated to give anyone who posts Star Trek figures. If I were to sit down and try to hack a Strongbox site, I would give up after, say, 10 tries. That's because I understand 10, but cannot get a handle on 577,026,378,634,231,908,944,070. Anyway, I value my time conservatively at $60 an hour so it would be more efficient just to buy a membership. Hey, was that your plan all along?

Nope, not a sales pitch. See the first sentence in the thread. That's from an email sent to an existing customer who asked whether they should be concerned about brute force.

Take any one security class from any decade, then let's discuss it. You are correct that brute force certainly is not the preferred method if you have a choice. The OP posted my explanation of WHY it's not the preferred method. In fact, though, brute force is used all the time when you don't have a better option. I've personally used it more than once successfully. Some members of this board would have lost their servers if I hadn't brute forced a particular security system.


Do your homework, then see if you still think so.
Clearly you haven't read the posts where the challenge was posted. GFY is funny that way. You didn't even know there WAS a challenge until I just told you, yet magically you know it's bogus. We're not allowed to post links to other forums, but use "search" on some of the security and hacker forums for details. Just FYI, someone did have a partial win by showing that ONE layer of our security wasn't as strong as intended. We fixed that up and rewarded them in the way they requested. Please do your homework before calling me bogus etc. There's a reason I'm the only licensed security professional doing adult.

Basically true for brute force. If you use the default 1970s encryption that the processors provide, it's actually a lot worse due to collisions. You can get into all kinds of funky math there, but yeah basically the more members you have, the more "correct" combinations there are, so it's easier to guess one. See the birthday paradox too.

Any permutation would be tried at m / 2 on average.

They like poo.

I know of the "challenge" and i even think i called you out on that stupid challenge here, i'm not sure anymore it was a long time a go. Way to fail that you just told me about it :)
I did do it.
I know who "partially won" your challenge, i also know he's not the only one, you're just not aware of it since you live in your little fantasy. He was just the only one that contacted you obviously.

You failed to mention the sites that follow "strongbox recommended settings". Name 2-3 different companies, i'm curious.

Raymor ain't dumb

i guess i should start know

:1orglaugh

The wrong strong box ha

Actually, we have received over 11,000 attempts since yesterday afternoon on one of our sites. They're still trying, but haven't gotten in. So yes, strongbox is doing its job :)

i guess people then should use strong user,pass combo as MUST

small,big letters and numbers and min 10 chars for user,pass
and you are safe :)

I wonder how many are valid users who can't access a site they paid for?

none. We've been going through the reports. We do our best to make our members happy :)

Most importantly, long passwords. Think "pass phrase". One extra character adds a lot more entropy than including a few odd punctuation marks in the set.

Only if the site is NOT using the default 1970s encryption that the processors use by default, though. The default scripts from the processors ignore everything but the first eight characters.

So very true :thumbsup

:thumbsup Saved me loads of time with brute attacks.. Best pennies I ever spent :pimp

Raymor makes a quality product.
I read this about pass phrases and have been using them instead of passwords for sites I go to.
http://www.codinghorror.com/blog/200...s-phrases.html

hacking one combo on strongbox take maybe unlimited time, but hack complete database with everything that is stored take few hours or few days maximum. oh poor dinosaur he cant hack strongbox :winkwink:

oh and the best is, that threads like this about security are on gfy not new, but there is still most of webmasters who smile but use password under 8 chars. i know what i am talking about, go pimps!

Nothing because anyone can get them from the good surfer forums :)

That is all good... But if you allow your surfer to make their own username/password combo that all goes out the window.

If you do... and you own Met-Art then I hack into X-Art with server level access and steal their combos... Now I have a list of tens of thousands of people that enjoy nude art sites and have all join the majority of them at one time or another.

So by the time I run 50 combos on your site I am in 2 or 10 times or so...

:1orglaugh :1orglaugh

I've always had good experiences with StrongBox. With the right settings, you're golden.

raymor

Are you going to respond to my emails?

Anway, interesting read

The mass of our Universe is 6*10^52 kilograms.