You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 6, 2021. It is now read-only.
Original issue 174 created by sweerek on 2012-05-01T20:57:36.000Z:
What steps will reproduce the problem?
Use two-step authenication
Enter name and password in Google login page
Guess six-digits
What is the expected output? What do you see instead?
If I'm a bad guy and can enter 17 guesses a second, I'll get in half the time before the code expires (in 5 minutes).
Requested two-step Improvement: Maximum of ten of six-digit entry attempts
Risk: It appears that with the correct login and password (say from a keylogger), an unknown user has an unlimited number of attempts to guess the six-digits before it expires (2-5 minutes?).
Hypothetical: An attacker would have 50/50 odds of guessing the number in 5 minutes at 17 guesses/second.
I recommend that two-step verification only provide 10 guesses per six-digit code. With ten guess, the odds of success are 1:1000. After 10 guesses the six-digit code expires.
To prevent automation from just repeating this attack a time penalty is needed. (1000 tries of the 10-guess max rule would get the threat inside half the time, if I recall my statistics correctly.)
A time penalty, say 2-5 minutes, between how often new six-digits are sent (and maybe accepted) would greatly slow-down such automated attacks. Reporting a huge number of attempts to the user would be advisable, with the recommendation to change her password when on a trustworthy device.
While this could be a CPanel option for Google Apps admins, the I think it would be more applicable to all Google 2-step users.
No change on Google Authenicator -- it would keep creating codes... they just won't be accepted by Google.
The text was updated successfully, but these errors were encountered:
Original issue 174 created by sweerek on 2012-05-01T20:57:36.000Z:
What steps will reproduce the problem?
What is the expected output? What do you see instead?
If I'm a bad guy and can enter 17 guesses a second, I'll get in half the time before the code expires (in 5 minutes).
Requested two-step Improvement: Maximum of ten of six-digit entry attempts
Risk: It appears that with the correct login and password (say from a keylogger), an unknown user has an unlimited number of attempts to guess the six-digits before it expires (2-5 minutes?).
Hypothetical: An attacker would have 50/50 odds of guessing the number in 5 minutes at 17 guesses/second.
I recommend that two-step verification only provide 10 guesses per six-digit code. With ten guess, the odds of success are 1:1000. After 10 guesses the six-digit code expires.
To prevent automation from just repeating this attack a time penalty is needed. (1000 tries of the 10-guess max rule would get the threat inside half the time, if I recall my statistics correctly.)
A time penalty, say 2-5 minutes, between how often new six-digits are sent (and maybe accepted) would greatly slow-down such automated attacks. Reporting a huge number of attempts to the user would be advisable, with the recommendation to change her password when on a trustworthy device.
While this could be a CPanel option for Google Apps admins, the I think it would be more applicable to all Google 2-step users.
No change on Google Authenicator -- it would keep creating codes... they just won't be accepted by Google.
The text was updated successfully, but these errors were encountered: