Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 2 of 2 FirstFirst 12
Results 16 to 29 of 29
  1. #16
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,080
    Thanks
    203
    Thanked 2,542 Times in 2,520 Posts
    It comes back to motivation. Few would consider it worthwhile to hack into a teenager's website, but obviously it is a different matter if we are talking about your bank account. As I say, if money or its equivalent is at stake then someone will be motivated to crack the obfuscation.

    I have never understood how a hacker can try millions of combinations. He must not only find the right password, but test that (and all) password(s) to see if it works. Even at one second per try you can only test 3,600 an hour, 86,400 per day working full time. The rate at which an attacker can submit guessed passwords to the system must be a constraint. A password of 10 characters will take over 19 years to crack at a 100-billion-guesses-a-second effort to break the encryption.

    In short, and as you say, is it safe enough for practical purposes? Yes.

    Of course, the password must be unguessable. I understand that if I know the names of your wife, children, pets and football team then I have a 40% chance of guessing your password correctly.
    Last edited by Philip M; 09-20-2012 at 09:19 PM.

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  2. #17
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    26,198
    Thanks
    80
    Thanked 4,453 Times in 4,418 Posts
    LOL! A hacker will try hundreds per second! All automated, of course. He will try them as fast as your site will take the input. Hitting you from multiple (virtual) clients at the same time. Heck, MS even has a TOOL that helps you do this! (It's normally used for performance testing...you set up the number of virtual clients you want and it hits a site from each client as fast as it can. Normally, the virtual client just makes a static request of the site, but you can create a plugin for the tool that will vary the request.)

    So multiply your numbers by at least 20 to 40 and maybe 100. But I agree with you. Nobody in their right mind would do this except for attempting to break into something worth while. Meaning money.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  3. #18
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,378
    Thanks
    11
    Thanked 592 Times in 572 Posts
    you can combine both to provide unpredictable urls and a convenient human interface for those who know a passphrase/guid/sectret string.

    here's a quick proof-of-concept for such a tool. it spits out the source of a landing page on a new tab and immediately loads that page in the open tab so you can test it.

    still, i think it's better to put things like this behind a server because you can change the key/path independently...

    i set the folder path to 64 chars. while i won't say it's impossible to guess a 64-char url, it's impossible to guess a 64-char url.
    the # of ms since 1970 is ~15 digits, so in order to crack the url within 40 years, you need to do 2^39 combos per ms.
    there is no server that can even handle 2^10 requests per ms, much less that times a billion times a billion times a billion...
    Last edited by rnd me; 09-21-2012 at 01:04 AM.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.6, IE11:9.1, IE9:3.1, IE10:3.0, FF:17.2, CH:46, SF:11.4, NON-MOUSE:38%

  4. #19
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,080
    Thanks
    203
    Thanked 2,542 Times in 2,520 Posts
    Quote Originally Posted by Old Pedant View Post
    NOW...Is it "safe"? Of course not! Is it safe enough for practical purposes? Yes.

    But, then, so is your idea of simply using a weird URL safe enough for practical purposes. I really like that idea. It's enough to keep out nosy people, even if it won't keep out the determined hacker who will try millions (or more) of combinations. I absolutely agree with you that it's a simple and effective way.
    I do not see how even with millions of combinations a 10-character url not a dictionary word can be cracked (except by pure luck of course - by some miracle you just might hit it first time!).

    I thought that servers would not accept more than so-many log-in attempts within so-many minutes from the same IP address.

    A site which can only be accessed with a fixed password has the obvious snag that some authorised user may pass on the password to an unauthorised user.
    Last edited by Philip M; 09-21-2012 at 12:45 PM.

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  5. #20
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    26,198
    Thanks
    80
    Thanked 4,453 Times in 4,418 Posts
    Hackers are smart. Evil, but smart. They are well aware of what limits a given kind of server puts on "hits" from a single IP address. It may take them many weeks or months to try millions of combinations, and they may spread the effort across thousands of IP addresses (after all, they just have to "infect" a few thousand machines with their own virus and than assign the hacking task to those machines), but they WILL do it.

    Now, would they bother, just to hack some hobbyist game site? Of course not.

    So as we have all said, it really comes down to WHAT you are protecting. And for all but sites handling large sums of money, most of the stuff we have discussed is more than adequate.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  6. #21
    New Coder
    Join Date
    Sep 2012
    Posts
    15
    Thanks
    4
    Thanked 0 Times in 0 Posts
    I'm having trouble with a redirection code which is basically the same as the secure examples given on page one
    Code:
    var password = function(){
    var reply = prompt("Enter username");
    var reply2 = prompt("Enter password");
    var reply3 = prompt("Enter securty decryption key");
    var redirect = function() {
    var arith = (reply + reply2)*reply3;
    return arith;
    window.location.href = arith
    }
    };
    password()
    </script>
    The three prompts show but it does not redirect to the new page which I have currently (for testing purposes) given the simple name 30.

  7. #22
    Senior Coder jmrker's Avatar
    Join Date
    Aug 2006
    Location
    FL
    Posts
    3,091
    Thanks
    38
    Thanked 498 Times in 492 Posts

    Arrow

    Quote Originally Posted by gabsillis View Post
    I'm having trouble with a redirection code which is basically the same as the secure examples given on page one
    Code:
    var password = function(){
    var reply = prompt("Enter username");
    var reply2 = prompt("Enter password");
    var reply3 = prompt("Enter securty decryption key");
    var redirect = function() {
    var arith = (reply + reply2)*reply3;
    return arith;
    window.location.href = arith
    }
    };
    password()
    </script>
    The three prompts show but it does not redirect to the new page which I have currently (for testing purposes) given the simple name 30.
    It can't redirect to the location.href as it exits the function via the return before getting to that command.

  8. #23
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,080
    Thanks
    203
    Thanked 2,542 Times in 2,520 Posts
    var arith = (reply + reply2)*reply3;

    reply and reply2 are strings so the + sign concatenates (not adds) them, but * is a numeric operator (multiply). You cannot multiply a string value.

    You are using two functions (why?) and as the variables are declared in the first function with the var keyword they are local to that function, and cannot be accessed by the second function.

    return means what it it says. STOP right now.

    I heard him then, for I had just
    Completed my design
    To keep the Menai Bridge from rust
    By boiling it in wine.
    - Lewis Carroll

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  9. #24
    Senior Coder jmrker's Avatar
    Join Date
    Aug 2006
    Location
    FL
    Posts
    3,091
    Thanks
    38
    Thanked 498 Times in 492 Posts

    Arrow

    Quote Originally Posted by Fran55k View Post
    Thank you for telling me that javascript cannot be used to update the content of your page after the page loaded.

    That is not exactly true.
    You can update the page after the page has loaded,
    you just cannot use document.write() to do it.

  10. #25
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,080
    Thanks
    203
    Thanked 2,542 Times in 2,520 Posts
    Quote Originally Posted by jmrker View Post
    That is not exactly true.
    You can update the page after the page has loaded,
    you just cannot use document.write() to do it.
    Hmmm. Fran55k is a spammer who has been banned from the forum.

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  11. #26
    Senior Coder jmrker's Avatar
    Join Date
    Aug 2006
    Location
    FL
    Posts
    3,091
    Thanks
    38
    Thanked 498 Times in 492 Posts

    Arrow

    Quote Originally Posted by Philip M View Post
    Hmmm. Fran55k is a spammer who has been banned from the forum.
    Thanks for the info. I did not know that.
    Is there a way to tell that from the post so that I don't respond to begin with?

  12. #27
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,080
    Thanks
    203
    Thanked 2,542 Times in 2,520 Posts
    Quote Originally Posted by jmrker View Post
    Thanks for the info. I did not know that.
    Is there a way to tell that from the post so that I don't respond to begin with?
    One telltale sign is the images (which do not appear - just red X's).

    Another clue is if the spammer copies all or part of a previous post to "introduce" his message.

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  13. #28
    New Coder
    Join Date
    Sep 2012
    Posts
    15
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Philip M View Post
    var arith = (reply + reply2)*reply3;

    reply and reply2 are strings so the + sign concatenates (not adds) them, but * is a numeric operator (multiply). You cannot multiply a string value.

    You are using two functions (why?) and as the variables are declared in the first function with the var keyword they are local to that function, and cannot be accessed by the second function.

    return means what it it says. STOP right now.

    I heard him then, for I had just
    Completed my design
    To keep the Menai Bridge from rust
    By boiling it in wine.
    - Lewis Carroll
    how would I get numeric input from a user instead of a string?
    good point about return, I think my head was swimming with wierd thoughts when I wrote that part.

  14. #29
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,080
    Thanks
    203
    Thanked 2,542 Times in 2,520 Posts
    Quote Originally Posted by gabsillis View Post
    how would I get numeric input from a user instead of a string?
    Use Number() or *1

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  15. Users who have thanked Philip M for this post:

    gabsillis (10-13-2012)


 
Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •