should never allow unlimited password retry, and if possible ads a small delay when a password is entered as default.
With a reasonable password even using GPU's etc would make it very time consuming and of course if the wrong password is entered either manually locally or remotely more than 3-5 times the IP address should be locked out and the admin informed, as a minimum. On the firewall side if the IP is probed or port scanned from an external source then that IP should also be locked out. Kind Regards Peter Atkin (C.T.O) cfts.co (u) ltd. Get I.T.Right +256-772-700781 | Skype: peter2cfu www.cfts.co.ug [http://www.cfts.co/]| location details [http://www.cfts.co/contacts.html]| View Peter Atkin's profile [http://ug.linkedin.com/in/peteratkin] -----Original Message----- From: Benjamin Tayehanpour <[email protected]> To: Uganda Linux User Group <[email protected]> Date: Wed, 29 May 2013 12:42:45 +0200 Subject: Re: [LUG] NITA site hacked! Unless they change their ways. Which one should always do after a breach. On 29 May 2013 12:40, "Mike Barnard" <[email protected] [mailto:[email protected]]> wrote: With hash tables out there and people using GPU's for parallel processing, this will be hacked in a few minutes. The problem is that now one has a rough idea on how they form their passwords. It makes it even easier to get in next time. On 29 May 2013 12:56, Mwirima Byaruhanga <[email protected] [mailto:[email protected]]> wrote: Mike Barnard wrote thus on 5/29/13 11:48 AM: > and to make it worse!!!!!!!! > > http://www.nita.go.ug/new/configuration.php-1 [http://www.nita.go.ug/new/configuration.php-1] > > <?php > class JConfig { > var $offline = '1'; > var $editor = 'tinymce'; > var $list_limit = '20'; > var $helpurl = 'http://help.joomla.org [http://help.joomla.org/]'; > var $debug = '0'; > var $debug_lang = '0'; > var $sef = '1'; > var $sef_rewrite = '0'; > var $sef_suffix = '0'; > var $feed_limit = '10'; > var $feed_email = 'author';> _* var $secret = 'smX7Nn30nbhMizyd';*_ But this would be the hashed 'secret', right? (Well, it may not be strong encryption but .. ) eb -- Mike Of course, you might discount this possibility, but remember that one in a million chances happen 99% of the time. ------------------------------------------------------------ _______________________________________________ The Uganda Linux User Group: http://linux.or.ug [http://linux.or.ug/] Send messages to this mailing list by addressing e-mails to: [email protected] [mailto:[email protected]] Mailing list archives: http://www.mail-archive.com/[email protected]/ [http://www.mail-archive.com/[email protected]/] Mailing list settings: http://kym.net/mailman/listinfo/lug [http://kym.net/mailman/listinfo/lug] To unsubscribe: http://kym.net/mailman/options/lug [http://kym.net/mailman/options/lug] The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ [http://www.infocom.co.ug/] The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way. __________________________________________________________________________________ This e-mail is company confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains. Please e-mail the sender immediately and delete this message from your system. Note: e-mails are susceptible to corruption, interception and unauthorized amendment; we do not accept liability for any such changes, or for their consequences.
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
