Another (brief) follow-up on the TFA discussion. This weekend, I've been upgrading various server machines. I briefly had SSH open to password logins from the network (boy is *that* a wrong default). One consequence was that I got to see the rate of brute-force login attempts on the root account. Over a roughly 10 second period there were over 1,000 attempts. Needless to say, I turned password login off in the sshd configuration.
Unfortunately, I think we can reasonably expect a similar rate to show up on the Drupal site as it's existence becomes known. That causes me to feel once again that brute force attacks need to be an active concern. As much as I find it useful, Google Authenticator (and Yubikey, and...) are definitely a hassle. Even if you *have* a smart phone, it's a race to get the code entered in time. If you don't have a smart phone, there is an HTML5 app that you can run locally in your browser, but there is still the issue of needing to enter the code when you log in. I'd really like to find a less intrusive solution. Most CMS systems have a broken login mechanism. They either ship passwords "in the clear", or they attempt to jump back and forth between SSL and non-SSL connections in a way that is easily subverted. The simple fix is to force *all* connections to happen over SSL. Our load isn't big enough for that to present a scalability problem. What I'm looking at right now is a compromise that looks something like this: 1. Once we get you logged in, stick a per-browser secure authentication cookie in your browser IFF you say you should be remembered. The evolution would be similar to what appears here: http://www.jaspan.com/improved_persistent_login_cookie_best_practice 2. If that cookie is not present, or if it has expired, fall back to TOTP or email you a one-time URL that can be used to fetch a code. It turns out that there are TOTP implementations that will run in any HTML5-enabled browser. If you don't want to run a TOTP application, have a look here: https://github.com/gbraad/gauth 3. Automatically expire ALL cookies whenever ANY cookie is received out of sequence. Note that TOTP would be used very rarely here. Would something like this be more viable for people? shap
_______________________________________________ bitc-dev mailing list [email protected] http://www.coyotos.org/mailman/listinfo/bitc-dev
