spreaders (OP)
Newbie
Offline
Activity: 10
Merit: 0
|
|
July 07, 2011, 01:12:33 AM |
|
I had an idea for the use of bitcoins during the login process that would make life more difficult for hackers that use a brute force attack to access an online account. Here are my initial thoughts on how it could be implemented.
User signs up for an account in the usual way, eg user name, password etc, but is also asked for a bitcoin address.
When the user comes to log in to their account the user gives name and password as usual. They are then asked to deposit X bitcoins to an address of the website provider.
User name and password are then verified, along with verification that the requested deposit has been made.
If user name or password are invalid or the deposit has not been made, the user is denyed access.
If the user name is valid the deposited bitcoins are returned to the registered users registered bitcoin address. If not, the bitcoins stay with the website owner.
What a valid user would see is that they pay out X bitcoins but immediately get them returned. If someone is trying to get into their account, they would see a nice little bitcoin bonus being paid to them everytime the hacker tries a new password.
This method would cost a hacker everytime they attempted to break in, thereby detering brute force attacks on websites, with no prospect of ever getting the bitcoins back.
Depending on the sensitivity of the account being protected, could determine the size of the bitcoin deposit to be made each time.
I realise there may be problems with this method, the main one I can think of is the time delay between sending the bitcoins for login and getting a confirmation that allows access.
Anyone wanting to develop a service around this idea, feel free, I'm putting this idea out there to help encourage the use of bitcoins.
|
|
|
|
TiagoTiago
|
|
July 07, 2011, 01:21:56 AM |
|
You mean for this forum? That would be an issue for newbies and people coming here to get help to get their clients working etc...
|
(I dont always get new reply notifications, pls send a pm when you think it has happened) Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!
|
|
|
jostmey
|
|
July 07, 2011, 06:32:52 AM |
|
That time delay is an idea killer.
|
|
|
|
wumpus
|
|
July 07, 2011, 06:49:04 AM |
|
Any client-side puzzle will do to slow down brute-force attacks, bitcoin has no specific advantage here IMO
|
Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through File → Backup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
|
|
|
spreaders (OP)
Newbie
Offline
Activity: 10
Merit: 0
|
|
July 07, 2011, 10:48:59 AM |
|
a puzzle would certainly slow an attack, such as capcha and the like, but this adds a cost to the hacker. Time delay is certainly a killer, but maybe some bright spark will be able to speed things up.
|
|
|
|
naturallaw
Newbie
Offline
Activity: 56
Merit: 0
|
|
July 07, 2011, 03:05:51 PM |
|
I really don't think brute force attacks are a problem these days if people simply choose a decently complex password and the authenticator employs a basic method of blocking continuous password guesses like automatic account locks after a number of invalid logins. There are so many other more viable ways to hijack user accounts these days such as session hijacking, CSRF, XSS, SQL injection, etc.
|
|
|
|
TimoWillemsen
Newbie
Offline
Activity: 15
Merit: 0
|
|
July 07, 2011, 03:38:09 PM |
|
Im sorry but I dont see how sql-injection and xss are still a problem here. Every webdeveloper should know about them. I wouldn't trust a single bitcoin at a website that EVER had such a vulnerability, beacause it means security isn't considered by design.
Finding a method that stops brute forceing without bad user experience can be hard. Im not sqying what the TS suggests is a good idea though.
|
|
|
|
Coinbuck @ BTCLot
|
|
July 07, 2011, 03:55:07 PM |
|
Im sorry but I dont see how sql-injection and xss are still a problem here. Every webdeveloper should know about them. I wouldn't trust a single bitcoin at a website that EVER had such a vulnerability, beacause it means security isn't considered by design.
Finding a method that stops brute forceing without bad user experience can be hard. Im not sqying what the TS suggests is a good idea though.
x2
|
|
|
|
naturallaw
Newbie
Offline
Activity: 56
Merit: 0
|
|
July 07, 2011, 04:32:00 PM |
|
I agree, but when was the last time someone hijacked a web account by brute force when the user had a respectable password?
|
|
|
|
naturallaw
Newbie
Offline
Activity: 56
Merit: 0
|
|
July 07, 2011, 04:34:57 PM |
|
It's an interesting idea anyway, spreaders. Might be for more applicable for something else I think though.
|
|
|
|
Rob P.
|
|
July 07, 2011, 07:41:40 PM |
|
Two words: Transaction Fees
|
--
If you like what I've written here, consider tipping the messenger: 1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG
If you don't like what I've written, send me a Tip and I'll stop talking.
|
|
|
TheRandomGuy
|
|
July 07, 2011, 08:00:23 PM |
|
Two Words: BAD IDEA!
|
|
|
|
dazedtrader
Newbie
Offline
Activity: 25
Merit: 0
|
|
July 08, 2011, 05:35:00 PM |
|
TradeHill seem to use a captcha to prevent logins being bruce forced. It seems a bit of an odd approach to me ... wouldn't rate throttling on the server be a better solution that wouldn't inconvenience the users every time they log in?
|
|
|
|
naturallaw
Newbie
Offline
Activity: 56
Merit: 0
|
|
July 08, 2011, 07:21:20 PM |
|
TradeHill seem to use a captcha to prevent logins being bruce forced. It seems a bit of an odd approach to me ... wouldn't rate throttling on the server be a better solution that wouldn't inconvenience the users every time they log in?
+5 Maybe they have that too? The API doesn't require a CAPTCHA...
|
|
|
|
coga
Full Member
Offline
Activity: 222
Merit: 100
www.btcbuy.info
|
|
July 09, 2011, 05:51:54 AM |
|
Here's another variant of the same idea: Upon login, you see something like this: User ID: [ johndoe ] Password: [ -------------------- ] You have BTC 0.0094. To add, send more BTC to 1x7uDNn2aDugntBy96zBWXE7zt546M6JgY On every logon, successful or not, web site will send BTC 0.0001 to the user. When balance runs out, user can no longer logon, with or without valid password. The only way to try again is to send BTC to that address. Basically, if you are a hacker, you will need to keep sending BTC in order to try, and the user will keep the dough Probably not a great idea for password protection per se, but I wonder if there could be more applications to such model
|
GPG key: 6F8E305690A05365B58C50A
|
|
|
Rob P.
|
|
July 09, 2011, 01:36:01 PM |
|
Here's another variant of the same idea: Upon login, you see something like this: User ID: [ johndoe ] Password: [ -------------------- ] You have BTC 0.0094. To add, send more BTC to 1x7uDNn2aDugntBy96zBWXE7zt546M6JgY On every logon, successful or not, web site will send BTC 0.0001 to the user. When balance runs out, user can no longer logon, with or without valid password. The only way to try again is to send BTC to that address. Basically, if you are a hacker, you will need to keep sending BTC in order to try, and the user will keep the dough Probably not a great idea for password protection per se, but I wonder if there could be more applications to such model Why would anyone pay money to login? I understand you're sending to an address and then getting the coins back. However, there are transaction fees on every send, so you're paying TWICE the transaction fee for every login. Sure, you could set the transaction fee to 0. But that's going to seriously delay your ability to login as you wait for the transaction to be added to the block chain. It's just not practical.
|
--
If you like what I've written here, consider tipping the messenger: 1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG
If you don't like what I've written, send me a Tip and I'll stop talking.
|
|
|
coga
Full Member
Offline
Activity: 222
Merit: 100
www.btcbuy.info
|
|
July 11, 2011, 05:44:15 AM |
|
Why would anyone pay money to login? I understand you're sending to an address and then getting the coins back. However, there are transaction fees on every send, so you're paying TWICE the transaction fee for every login.
Sure, you could set the transaction fee to 0. But that's going to seriously delay your ability to login as you wait for the transaction to be added to the block chain.
It's just not practical.
I understand your point, and I agree that it is not practical.
|
GPG key: 6F8E305690A05365B58C50A
|
|
|
somebadger
Member
Offline
Activity: 170
Merit: 10
|
|
July 11, 2011, 06:59:37 AM |
|
i love this concept, the fees can be lessend by manual return requests when u get to a certain ballance, but the sending for login will cost a bit too much in fees, and not to mention the wait time for confirmations, without wich makes the system not really reliable.
i guess you could start your own fork then sell btc for your logincoins or something similar then u can abolish the fees ?
|
|
|
|
dazedtrader
Newbie
Offline
Activity: 25
Merit: 0
|
|
July 11, 2011, 12:18:25 PM |
|
This sounds a little bit like HashCash, which was around before Bitcoin and I believe influenced it.
|
|
|
|
|