It Seems Obvious To Me....

If you listen to IT Security experts, they will regularly tell you to make your passwords difficult to guess. They will also tell you ensure it is not short, and has a mixture of alphabetic, numeric & special characters in it - and certainly don't use a word that is found in the dictionary.

Why do we do that? Because it is important that your password cannot be easily be guessed, especially using brute force. What does that mean? It means the bad guys can automate a system to make repeated attempts to log in with your username, trying one combination of characters to form your password after another until they stumble across your password & get into your account. This may take hundreds of thousands (or millions) of attempts before the right password is submitted. But depending on the attacking system and and their target, they could make hundreds (or more) attempts at the password per second.

So the theory is - the longer the password, the more obscure the word (or combination of words) used, the use of both lower & upper case, along with special characters, the more difficult it is for a bad guy to generate the right combination to match your password. And this is all good good advice. It certainly makes it much more difficult for the bad guys.

But I can't help wonder why we allow brute force attacks to work at all. Instead of a system instantly returning with a negative response if the password is incorrect, why not build a delay into the response of say, a tenth of a second? Then, when another log in attempt is name on that same username, the response comes back after a tenth of a second delay. The next failed log in attempt on the username would result in a two tenths delay, then three tenths, etcetera. After one hundred attempts, there would be a ten second delay between responses. By the one thousandth attempt, the delay would be one hundred seconds. This would render a brute force attack useless. But a legitimate user who happened to enter the wrong password would not notice a tenth of a second delay. Even a two thenths or three tenths of a second delay.

So why aren't delays like this built into log in screens? I don't know why.

OK, OK. I'm sure some people will come back to me & say that it's not technically possible to do something like that on some systems. And I'm sure that's probably true. But I'm also sure there are plenty of systems out there that could be modified to do something like this. It seems logical to me.

Now, even if this was done wherever possible, you still need to use strong passwords. Words that are found in a dictionary are not a good idea, and using family or pet names is certainly not good practice. So you would still need to use strong passwords, but the bad guys would have less chance of cracking your password through repeated, rapid brute force attacks.

 
Craig Johnston
Senior Cybercrime Research Analyst