I was recently reading this question, where the accepted answer claims that it is easy for attackers to bypass rate limiting that is based on IP, which makes any sort of IP rate limiting to prevent a brute force attack much less useful. But, if it is based on the account that is a victim, then it becomes very easy for an attacker to block access to a victim’s account. What is the best way to defend against both DOS attacks and online brute force attacks (and anything else that is in this same category)?
Simply sleeping for, for example, 1 second isn’t sufficient because the attacker can simply put in more requests before the first one finishes (1 second latency, but unbounded throughput, and throughput is what matters for brute force). If subsequent requests are blocked until the first one finishes, then they must be blocked per-IP or per-user, which produces the same problem.
2FA isn’t always a good solution either, because, for worse, many people fail to use it.
I have encrypted a file and sent to another vm. Decripted the file and all was fine. Closed the shell, reopened and attempted to decrypt the same file. This time it didn’t ask for the passphrase but simply showed the decrypted text.
My question is If I wanted to force the passphrase to be entered upon every decrypt, ( in case someone got into my machine / user ), how could I ensure that the phrase would need to be entered everytime?
Clearly I am missing an in depth understanding of what is happening here.
I remember learning about an attack against sequential cipher locks – ones that don’t have a ‘reset’ or ‘enter’, you just enter digits and as soon as the last n consecutive entries match, the lock opens. So, if the code is ‘1234’, the sequence ‘32431234’ will work just fine.
The attack depends on a specific sequence that appends such digits that the resulting ‘tail’ of the string is as new as possible.
Let’s take for example a 3-digit binary lock. The possible codes are 000, 001, 010, 011, 100, 101, 110, 111. To try all 8 codes in standard brute force attack, you’d enter 24 digits total.
But instead, entering sequence 0001110100, 10 digits total, you cover all combinations and unlock the lock – generating sequences: 000, 001, 011, 111, 110, 101, 010, 100, each new digit past first 2 generating a new code.
For the good of me, I can’t recall the name of the sequence used for this sort of attack.
Assume the following very basic hashing algorithm.
h(k) = k mod 17
Let’s say we create a password
12345 for a website that uses this very basic hashing algorithm. That would yield the hash of 3.
Say a brute force attacker comes by and starts guessing numbers starting at 1 they would only have to get to 3 before they got a hash collision and obviously 3 is not the original password.
Is the problem that the password hashing space (0-16) is much smaller than the space of the allowed password, or is there something else I’m overlooking?
I have the following command:
patator ssh_login host=<ip> port=<port> user=<user> password=FILE0 0=<path to pwdlist>
I would like to output the success result only and not output all lines.
My first attempt was:
patator ssh_login host=<ip> port=<port> user=<user> password=FILE0 0=<path to pwdlist> | grep "INFO - 0"
but that didn’t work.
Can anyone assist.
I’m playing an artificer, and I have the bag of holding infusion. I was thinking that if I put a whole person in a bag of holding against his or her will, that would be basically an instakill, right?
My DM said that in my infusioned bag of holding nothing living can enter, and if it does, it instantly dies. How do I do that? Just a regular melee attack roll? Do I make an opposed strength check? What if we are just talking and I randomly do that, does that count as a surprise round so I can do it before rolling for initiative?
Bags of holding are 2 feet wide, does a dwarf fit in there? (I want to kill a really bad dwarf mafia boss.)
tell me where to refer to the function to be run once at the start of the page.
Exactly I mean to set a specific template so that every time you open the page always the same template loads without regard to what template was set up in the back.
Interested in other peoples thoughts. If a Wizard has a familiar, and is subject to Phantasmal force:
- Does the familiar see the same illusion as the Wizard?
- Does the familiar not seeing the same thing result in a bonus to save, or a free subsequent disbelieve check?
My professor made this site for us and gave us a project to find the password if we have the email. Is it possible? Not sure if this is relevant, but the site isn’t HTTPS also
In plotting out low-level encounters at the start of a campaign (especially with new players) I prefer to create opponents who don’t want to kill the PCs right away. Instead, I generally have them use nonlethal force and capture the PCs if they lose a fight. Then I provide the PCs with a potential out to escape captivity later.
I’m aware that some GMs strongly advocate against capturing PCs on the basis that players hate the feeling of helplessness that capture provides, but I haven’t had bad luck with it in the past, and its useful in generating challenging encounters with much less risk of total party kill, especially at low levels where margins for error are small (I’m talking about D&D 3.5, but this generally holds true of most tactical system RPGs as well).
In the past I’ve used as a pretext for this opposition consisting of slavers (the PCs will bring a fine price if captured alive) and evil cultists (the Blood God demands living sacrifices on the night of the Blood Moon!) But the truth is my imagination could use some fresh input. What other generic reasons can you think of that the opposition would use nonlethal force on the PCs?