Login security breach

[johnwell]

I have been seeing this that could be considered a MAJOR bug / feature leak that could compromise the security of wallets, the wallet login page doesn't have limit of login attempts before displaying a captcha or something to avoid bots using BRUTE FORCE ATTACK triying to open a wallet.

the name of the wallet is easy to find, even in the bitcointalk giveaway.

My name at ripple forum is johnwell.

[macdrac]

yes, security should be improved. it's a very bad idea to login with you wallet name, or at least there should be some limits how long it should be and etc and maybe even block the account for few hours or a day after couple failed tries to log in

[singpolyma]

While I don't disagree per se, the network lag makes this a very inefficient brute force attack to begin with.

[JoelKatz]

How would it know the attempts came from the same source? By IP address?

[johnwell]

Hi Joel, yes, by isolating an IP address and also by rate-limiting the time between the attemps on one wallet.

[jedmccaleb]

It is rate limited by IP now. We are working on other security improvements to the blob vault now.

[thekelsey]

really why would you need to know they come from the same source? just limit the amount login attempts of the same username? atm you can have as many attempts as u like to brutforce a username list

[johnwell]

Any way the captcha or blocking the the wallet for 30 minutes (could be less time) after x amount of failed login attemps on the same username is needed.

[JoelKatz]

@thekelsey There's no way to do that without giving the wallet provider a way to brute force the user names and passwords independently, which would be a huge reduction in security. If the wallet provider can tell that two attempts used the same username even if the passwords are different, then the provider can also tell if the username was "joe" without knowing the password, which would be quite bad.

Actually, maybe that's not true. Maybe we could use a sufficiently weak (very few bits, many collisions) of the hash that it would be good enough for limiting trials (tarpitting) but not good enough to permit you to brute force the username independently. A 24-bit hash, for example, would do.