Suggestion for brute force reports

  • Resolved Scott DeLuzio

    (@scottdeluzio)


    10 years, 4 months ago

    I’m not exactly sure how you might implement this, but it occurred to me today as I was looking at a brute force attack email that it might be useful to know what password was used on a failed login.
    For example, if my username is “admin” (it’s not), and my password is “Password20” (again, it’s not), it might be useful for me to know if the brute force attacks are getting close to my actual password. So for instance if the logged failed logins are using passwords: Password1, Password2, Password3, Password4, Password5…etc. I might think to change my password so that it is out of that pattern, as the attack is obviously following a pattern and will soon reach my password (Password20). In the case of a user who has a common password across multiple accounts it might be an eye opener that they should choose a unique password on all their accounts.
    While this might not be the best information to have in a “digest” email sent to one admin user, it might be useful to display a notice on the dashboard for users when they successfully log in to their account. Some notice saying something like “recent brute force attack using your username ‘admin’ included the following password attempts: Password1, Password2, Password3, Password4, Password5…”
    Perhaps this isn’t possible due to how WP handles password encryption at login, but it might be a useful feature to have if it is possible.

    https://www.ads-software.com/plugins/sucuri-scanner/

Viewing 2 replies - 1 through 2 (of 2 total)

  • Thanks for your suggestion, I just finished the code to implement this feature and you can get the latest version of the plugin downloading this Zip file which has the code from the development branch. Be aware that storing passwords is a bad idea (even if they are wrong).

    Suppose that you have entered by mistake your password, the plugin will log this information in the security logs (which are text/plain files). If someone get access to your Sucuri API key, or your server fails to process the PHP files (which is not usual but may happen) then an attacker may get your credentials and invade your site.

    Anyway, I added this feature as an extra option in the plugin’s settings, so it is up to you to enable it or not. Feel free to donwload the archive mentioned above or wait for the official release of version 1.7.3.

    Thread Starter Scott DeLuzio

    (@scottdeluzio)

    Thanks for the response. Like I said, I wasn’t entirely sure how to best implement an idea like this, or even if it was a good idea to do. After reading your response, I’m inclined to think that perhaps it isn’t as good of an idea as I originally thought.
    Maybe a better (or at least more secure) feature would be to encrypt the brute force passwords in the database. Anyone who suspects another account has been compromised (their email, social media, etc.) could check their password through a form in the admin to see if it matched any of the passwords used in the brute force attacks. This would help confirm that the other account’s password needs to be changed in addition to the WP password.
    Nothing would be saved in plain text, and would only indicate a yes/no response if an entered password matched any of the passwords used in a brute force attack.
    Again, I haven’t thought through all the details – just offering a suggestion. Thanks again for your response.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Suggestion for brute force reports’ is closed to new replies.