| Atom

<< Using AJAX for Image Passwords - AJAX Security Part 1 of 3 | Home | Problem with laptop overheating >>

Links

Contact
Natural Chroma
Green Mail
Magical Diary
Janagram
Shatila Gifts
Merge Box
Social Shopping
Trend Tracker
Natural Mom Resource

Navigate

Categories | Tags | Advanced Search

Tags

Recent Blog Entries

Single Table Polymorphic Inheritance with ActiveRecords
Implementing a single table polymorphic inheritance in rails is dead easy. Simply do class Fruit or if you a migrating... class Fruit Now, all you have to do is to create your sub-classes class Fruit Don't forget to put Apple in a separate fi...
GreenMail v1.3 Released
This release contains minor changes to GreenMail core, most notable the introduction of slf4j for logging. New in this release is a JBoss service for GreenMail. The service runs GreenMail as a lightweight mail server sandbox, nicely suited for develop...
Internet Explorer 6 & 7 document.domain bug
Disclaimer: Im not sure this a bug discovery...couldn't find anything that resembled it after a couple of minutes of googling, or a super silly security restriction. I've been coding some javascript ajax code that inserts an iframe, and into the creat...
RXTX on Gumstix
Since it could be tricky to get the RXTX sources compiling properly for the gumstix platforms I thought I'd spare anyone the pain by providing my binaries. librxtxSerial_PXA255...
Groovy vs BeanShell
Below is a quick and dirty test to compare the speed performance between bean shell and groovy. Bean shell is an order of magnitude faster. If you don't need groovy closure and other nice groovy features...just use bean shell. It's only one small jar a...

Recent Responses

Re: Subtle Guarding Error
My bad, I see what Evert meant now. Thanks. (example updated)
Re: Internet Explorer 6 & 7 document.domain bug
http://msdn.microsof...
Re: How to move a subversion repository to another server
Simple and straightforward, thanks
Re: Tom Riddle's Magical Diary Comes to Life with AJAX
You people have a little too much time on your hands. May I suggest going for a jog? Eating? Watching TV? Go bowling? Rent a sailboat? Go for an airplane ride? ANYTHING! You guys are completely nuts! Go do something with your life, don't be so obsessed...
Re: Tom Riddle's Magical Diary Comes to Life with AJAX
i just wonder how you think of the relationship bettween harry and blike when you read the scipt and play your roel. Also,do you have another plan after you finish acting in HP?
Re: Tom Riddle's Magical Diary Comes to Life with AJAX
Wuz up Tom!!! Let's take a ride, handsome boy? XD
Re: Tom Riddle's Magical Diary Comes to Life with AJAX
Olá tom ^^
Re: Subtle Guarding Error
No, Evert is quite correct. The member variable is a value, so it will be constructed using a copy constructor -- a new Semaphore instance. The member variable should be a reference as well as the constructor parameter.
Re: Using AJAX with CAPTCHA - AJAX Security Part 3 of 3
I like it, might be easier for people if you put clipart instead of actual pictures. You could put three clipart pictures in each block and name the three in the steps. Also maybe make the dot a little bigger or make it an asterisk or something. Cool...
Re: Tom Riddle's Magical Diary Comes to Life with AJAX
hello readly wie is das jouer dans un film??
Re: How to move a subversion repository to another server
Thanks a lot. It was very useful to us, just changing our old repository server machine to a new one. Best regards.
Re: Tom Riddle's Magical Diary Comes to Life with AJAX
Ciao ma come funziona questo coso? mi risponde Tom Riddle?
Re: Subtle Guarding Error
The code should be correct since the GuardPost constructor is using GuardPost(Semaphore& _s) as opposed to GuardPost(Semaphore* _s)
Re: Subtle Guarding Error
There is a programming error in the non-lazy guard: the object needs to store a reference to a semaphore, not a semaphore. Currently, a copy of the semaphore gets locked and released, which probably is not what you want ;-)
Re: W AJAX design pattern
What if the browser doesnt have access to the 3rd party server directly? In our case we were submitting regional demographic requests to esri which costs money.
Re: W AJAX design pattern
just do an async ajax call with the first pattern
Re: Tom Riddle's Magical Diary Comes to Life with AJAX
Please, make a Portuguese version! thanks :D
Re: Automatic SSH/SCP Login without Password
very detailed and useful information, thanks
Re: RXTX on Gumstix
Hey, I'm about to run a SunSPOT on an gumstix. Suns SDK for SunSPOT makes use of rxtx. Do you know anything about this exception? -run-spotclient-once...
Re: Tom Riddle's Magical Diary Comes to Life with AJAX
Check this out!

Popular Articles: Tom Riddle's Magical Diary | AJAX Lego Robot | AJAX CAPTCHA | SQL Multisets

Using AJAX to deter Hackers - AJAX Security Part 2 of 3

How a Hacker operates

A spammer or a hacker do one simple thing while trying brute force to try to login to your site. They send an HTTP post crafted with the proper form elements and data without nessecary having viewed the actual login screen and form. Each time with a new password.
On the otherhand, what average Joe does is to first view your login page, type in his username and password...letter by letter.

Using AJAX to detect keystrokes

With some javascript and XMLHttpRequest we can simply send a small notice back to the server whenever Joe presses a keyboard button.

When the server receives a form submission from the client, the following can be detected

Keys were pressed.
Time differences between keystrokes.

If there are no key strokes in the session, or time differences between key strokes are in the order of what is humanly impossible, reject the login attempt.
Really fast typers can type in speeds of 20-30 characters a second, which is around 30-40 ms between keystrokes.
Argubable a hacker or spammer can simulate all this, but at their expense of higer bandwidth and processing power, which will avert them to spam or hack someone else less protected.
The argument of sending each mouse movement in Using AJAX for Image Passwords is now clear. The same keystroke / time delay detection can be applied using image passwords as well.

Try it!

Below is a simple login screen. To login as a human, type in the password apple and press Human Login.

If you press Computer Login, a small script will simulate sending off keystrokes in a very short period of time. The script on the server side will detect if it was you or your browser that was trying to login.

Time Twists

To boost things up further, it's possible to file the time between keystrokes while first entering your password. Next time you login the password on file along with a time delay pattern have to match to succesfully login.

More Buttons

Yet another way to boost security is by using the SHIFT, CTRL and other similar buttons as a "letter" in the password. Regular HTML forms does not support this. A javascript can detect that e.g. only SHIFT was pressed and would enocode it into the password string in a special way.

Source Code

Available here

Part 3, boosting security yet

Part 3 will discuess how it's possible to avoid having bots trying to login. Part 3 can be found here here

Responses[4]

Posted by Wael Chatila on September 18, 2005 6:02:56 PM PDT # Attachment

slashdot

digg

del.icio.us

technorati

[more]

Re: Using AJAX to deter Hackers - AJAX Security Part 2 of 3

Comment from Haris Skiadas on December 21, 2005 9:59:04 PM PST #

Very nice series of articles, thanks for the ideas. I have to admit, I consider myself a slow typist, but with my regular typing pattern the server considered me a computer (or rather superman, kind of flattering). But I guess the sensitivity can be adjusted.

Re: Using AJAX to deter Hackers - AJAX Security Part 2 of 3

Comment from Anonymous on December 22, 2005 12:12:21 AM PST #

How about users that choose to copy and paste their username and password?

Re: Using AJAX to deter Hackers - AJAX Security Part 2 of 3

Comment from You wouldnt be able to login copy and pasting. on December 22, 2005 12:19:24 AM PST #

Re: Using AJAX to deter Hackers - AJAX Security Part 2 of 3

Comment from Andreas on January 27, 2006 4:01:32 AM PST #

If you first try the computer option, then copy-and-paste the password over the generated one, then click OK, then it thinks you are human...

Add a comment Send a TrackBack

September 2005
Sun	Mon	Tue	Wed	Thu	Fri	Sat
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30
Aug \| Today \| Oct