Bitcoin Forum
December 08, 2016, 06:14:20 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Use Bitcoins During Login to Make Brute Force Attack Expensive to the Hacker.  (Read 3411 times)
spreaders
Newbie
*
Offline Offline

Activity: 10


View Profile
July 07, 2011, 01:12:33 AM
 #1

I had an idea for the use of bitcoins during the login process that would make life more difficult for hackers that use a brute force attack to access an online account. Here are my initial thoughts on how it could be implemented.

User signs up for an account in the usual way, eg user name, password etc, but is also asked for a bitcoin address.

When the user comes to log in to their account the user gives name and password as usual. They are then asked to deposit X bitcoins to an address of the website provider.

User name and password are then verified, along with verification that the requested deposit has been made.

If user name or password are invalid or the deposit has not been made, the user is denyed access.

If the user name is valid the deposited bitcoins are returned to the registered users registered bitcoin address. If not, the bitcoins stay with the website owner.

What a valid user would see is that they pay out X bitcoins but immediately get them returned. If someone is trying to get into their account, they would see a nice little bitcoin bonus being paid to them everytime the hacker tries a new password.

This method would cost a hacker everytime they attempted to break in, thereby detering brute force attacks on websites, with no prospect of ever getting the bitcoins back.

Depending on the sensitivity of the account being protected, could determine the size of the bitcoin deposit to be made each time.

I realise there may be problems with this method, the main one I can think of is the time delay between sending the bitcoins for login and getting a confirmation that allows access.

Anyone wanting to develop a service around this idea, feel free, I'm putting this idea out there to help encourage the use of bitcoins.
1481220860
Hero Member
*
Offline Offline

Posts: 1481220860

View Profile Personal Message (Offline)

Ignore
1481220860
Reply with quote  #2

1481220860
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481220860
Hero Member
*
Offline Offline

Posts: 1481220860

View Profile Personal Message (Offline)

Ignore
1481220860
Reply with quote  #2

1481220860
Report to moderator
TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616


Firstbits.com/1fg4i                :Ƀ


View Profile
July 07, 2011, 01:21:56 AM
 #2

You mean for this forum? That would be an issue for newbies and people coming here to get help to get their clients working etc...

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
jostmey
Full Member
***
Offline Offline

Activity: 224



View Profile WWW
July 07, 2011, 06:32:52 AM
 #3

That time delay is an idea killer.

Search Bitcoin
Discover the bitcoin economy
wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
July 07, 2011, 06:49:04 AM
 #4

Any client-side puzzle will do to slow down brute-force attacks, bitcoin has no specific advantage here IMO

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
spreaders
Newbie
*
Offline Offline

Activity: 10


View Profile
July 07, 2011, 10:48:59 AM
 #5

a puzzle would certainly slow an attack, such as capcha and the like, but this adds a cost to the hacker. Time delay is certainly a killer, but maybe some bright spark will be able to speed things up.
naturallaw
Jr. Member
*
Offline Offline

Activity: 56


View Profile
July 07, 2011, 03:05:51 PM
 #6

I really don't think brute force attacks are a problem these days if people simply choose a decently complex password and the authenticator employs a basic method of blocking continuous password guesses like automatic account locks after a number of invalid logins. There are so many other more viable ways to hijack user accounts these days such as session hijacking, CSRF, XSS, SQL injection, etc.
TimoWillemsen
Newbie
*
Offline Offline

Activity: 15


View Profile
July 07, 2011, 03:38:09 PM
 #7

Im sorry but I dont see how sql-injection and xss are still a problem here. Every webdeveloper should know about them. I wouldn't trust a single bitcoin at a website that EVER had such a vulnerability, beacause it means security isn't considered by design.

Finding a method that stops brute forceing without bad user experience can be hard. Im not sqying what the TS suggests is a good idea though.
Coinbuck @ BTCLot
Hero Member
*****
Offline Offline

Activity: 541

The future begins today


View Profile WWW
July 07, 2011, 03:55:07 PM
 #8

Im sorry but I dont see how sql-injection and xss are still a problem here. Every webdeveloper should know about them. I wouldn't trust a single bitcoin at a website that EVER had such a vulnerability, beacause it means security isn't considered by design.

Finding a method that stops brute forceing without bad user experience can be hard. Im not sqying what the TS suggests is a good idea though.


x2

Bitcoin is the future !
naturallaw
Jr. Member
*
Offline Offline

Activity: 56


View Profile
July 07, 2011, 04:32:00 PM
 #9

I agree, but when was the last time someone hijacked a web account by brute force when the user had a respectable password?
naturallaw
Jr. Member
*
Offline Offline

Activity: 56


View Profile
July 07, 2011, 04:34:57 PM
 #10

It's an interesting idea anyway, spreaders. Might be for more applicable for something else I think though.
Rob P.
Member
**
Offline Offline

Activity: 84



View Profile WWW
July 07, 2011, 07:41:40 PM
 #11

Two words:  Transaction Fees

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
TheRandomGuy
Full Member
***
Offline Offline

Activity: 163


View Profile
July 07, 2011, 08:00:23 PM
 #12

Two Words: BAD IDEA!  Shocked

BTC: 1wbGAAabrsu8pjVXWUQvjUUhe18e721K2
FAUCET ROTATOR SCRIPT
dazedtrader
Newbie
*
Offline Offline

Activity: 25


View Profile
July 08, 2011, 05:35:00 PM
 #13

TradeHill seem to use a captcha to prevent logins being bruce forced. It seems a bit of an odd approach to me ... wouldn't rate throttling on the server be a better solution that wouldn't inconvenience the users every time they log in?

Why not buy me a cup of coffee: 1BcLU9n1TfoLnkgC1p2wqT2SyP354XTngW
naturallaw
Jr. Member
*
Offline Offline

Activity: 56


View Profile
July 08, 2011, 07:21:20 PM
 #14

TradeHill seem to use a captcha to prevent logins being bruce forced. It seems a bit of an odd approach to me ... wouldn't rate throttling on the server be a better solution that wouldn't inconvenience the users every time they log in?

+5

Maybe they have that too? The API doesn't require a CAPTCHA...
coga
Full Member
***
Offline Offline

Activity: 226


www.btcbuy.info


View Profile WWW
July 09, 2011, 05:51:54 AM
 #15

Here's another variant of the same idea: Upon login, you see something like this:

Code:
User ID:  [ johndoe               ]
Password: [ --------------------  ]
You have BTC 0.0094. To add, send more BTC to 1x7uDNn2aDugntBy96zBWXE7zt546M6JgY

On every logon, successful or not, web site will send BTC 0.0001 to the user. When balance runs out, user can no longer logon, with or without valid password. The only way to try again is to send BTC to that address. Basically, if you are a hacker, you will need to keep sending BTC in order to try, and the user will keep the dough

Probably not a great idea for password protection per se, but I wonder if there could be more applications to such model

GPG key: 6F8E305690A05365B58C50A
Rob P.
Member
**
Offline Offline

Activity: 84



View Profile WWW
July 09, 2011, 01:36:01 PM
 #16

Here's another variant of the same idea: Upon login, you see something like this:

Code:
User ID:  [ johndoe               ]
Password: [ --------------------  ]
You have BTC 0.0094. To add, send more BTC to 1x7uDNn2aDugntBy96zBWXE7zt546M6JgY

On every logon, successful or not, web site will send BTC 0.0001 to the user. When balance runs out, user can no longer logon, with or without valid password. The only way to try again is to send BTC to that address. Basically, if you are a hacker, you will need to keep sending BTC in order to try, and the user will keep the dough

Probably not a great idea for password protection per se, but I wonder if there could be more applications to such model

Why would anyone pay money to login?  I understand you're sending to an address and then getting the coins back.  However, there are transaction fees on every send, so you're paying TWICE the transaction fee for every login.

Sure, you could set the transaction fee to 0.  But that's going to seriously delay your ability to login as you wait for the transaction to be added to the block chain.

It's just not practical.

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
coga
Full Member
***
Offline Offline

Activity: 226


www.btcbuy.info


View Profile WWW
July 11, 2011, 05:44:15 AM
 #17

Why would anyone pay money to login?  I understand you're sending to an address and then getting the coins back.  However, there are transaction fees on every send, so you're paying TWICE the transaction fee for every login.

Sure, you could set the transaction fee to 0.  But that's going to seriously delay your ability to login as you wait for the transaction to be added to the block chain.

It's just not practical.

I understand your point, and I agree that it is not practical.

GPG key: 6F8E305690A05365B58C50A
somebadger
Jr. Member
*
Offline Offline

Activity: 56



View Profile WWW
July 11, 2011, 06:59:37 AM
 #18

i love this concept, the fees can be lessend by manual return requests when u get to a certain ballance, but the sending for login will cost a bit too much in fees, and not to mention the wait time for confirmations, without wich makes the system not really reliable.

i guess you could start your own fork then sell btc for your logincoins or something similar then u can abolish the fees ?

http://pool.betcoin.co/banners/1.sig.png <-- Click here to join me Smiley
--
Have I been helpful ? Kick some coins over to 1BLkDhijWne8dAhK4TA9dceUC6C6K6Fite Smiley
dazedtrader
Newbie
*
Offline Offline

Activity: 25


View Profile
July 11, 2011, 12:18:25 PM
 #19

This sounds a little bit like HashCash, which was around before Bitcoin and I believe influenced it.

Why not buy me a cup of coffee: 1BcLU9n1TfoLnkgC1p2wqT2SyP354XTngW
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!