since9
Campaign Veteran
This isn't about the rules, but rather the inordinately short login duration. Years ago, it was thought that limiting the login duration was an effective way to increase a site's security.
This has long since been debunked.
Given the nature of the types of attacks the login duration is designed to combat, along with the issue of how easy some people make their passwords, it turns out login duration has effectively zero effect on a website's overall security. In reality, users with poor passwords can be hacked in a matter of seconds, rendering pointless even very short login timeouts of half an hour. At the other extreme, users who employ good passwords can't be hacked in years, much less months, also rendering this flawed approach pointless.
If it's pointless, why do sites like OCDO still use short login durations? Quite simply, they didn't get the memo. Even experienced IT administrators continue to employ short login durations in the errant belief they're actually accomplishing something other than ticking off their users. Unfortunately, they're wrong. All they're doing is ticking off their users.
An infinitely more viable approach is to employ a waiting "timeout" period after a specified number of failed login attempts. OCDO already employs such a system, courtesy of a feature built into the vBulletin message forum software on which OCDO runs. Current industry standard recommendations can best be summed up as "three strikes and you're out for thirty minutes." This approach allows for a maximum of six attempts per hour, vs OCDO's current twenty attempts per hour.
Is there any reasonable limitation on login duration? Absolutely, although it's much longer than one might think. An administrator certainly wouldn't want to extend the period indefinitely. A reasonable limit might coincide with the maximum length of time one might reasonably remain logged in for a single session. For most people, that ranges between a few minutes to several hours. Even extremists, however, won't be engaged in marathon sessions lasting much longer than sixteen hours, and it's highly unusual that anyone would require more than twenty-four hours.
Thus, many vBulletin administrators safely set their login durations to 1,439 minutes. That's 23 hours and 59 minutes for you and I.
The reason this works has to do with the nature of passwords. If it takes a computer 1 minute to hack a random password of x number of digits, then adding just one more digit increases that time by a factor of 94. In other words, it would take 94 minutes to crack a password of x+1 digits.
The "gone in 60 seconds" variety, however, is an extreme case. In reality, most passwords which can be cracked in a reasonable period of time are cracked in half an hour or so. Thus, adding one more digit extends that time out to well beyond a day.
The primary reason why none of this matters is that online activities don't occur instantaneously. Because of the communication lag inherent in the Internet, cracking a simple, four-digit password would take more than 22 hours, and that assumes such high-speed pipes that the system would allow for 1,000 guesses per hour!
Given the wait mandatory wait period induced after five wrong guesses, this would actually take fifty times longer: 45 days.
Now, let's up the minimum password length by a single digit, to five digits. Instead of 45 days, the online crack time has been extended out to more than 12 years.
Let's make it 8 digits, the same as most banks. Now we're talking about times in excess of 10 Million years.
Ok, so why do we have such short duration logins? The only plausible explanation falls to one of two possible answers: A) Because the admin didn't get the memo. B) To tick off the users.
Extremely high login security can be effectively had by means of ensuring a minimum password length of 8 digits and using the 3/30 rule: after three unsuccessful tries, you're locked out for thirty minutes.
Other measures which will foil other types of attacks include using SSL/TLS for the login exchange.
This has long since been debunked.
Given the nature of the types of attacks the login duration is designed to combat, along with the issue of how easy some people make their passwords, it turns out login duration has effectively zero effect on a website's overall security. In reality, users with poor passwords can be hacked in a matter of seconds, rendering pointless even very short login timeouts of half an hour. At the other extreme, users who employ good passwords can't be hacked in years, much less months, also rendering this flawed approach pointless.
If it's pointless, why do sites like OCDO still use short login durations? Quite simply, they didn't get the memo. Even experienced IT administrators continue to employ short login durations in the errant belief they're actually accomplishing something other than ticking off their users. Unfortunately, they're wrong. All they're doing is ticking off their users.
An infinitely more viable approach is to employ a waiting "timeout" period after a specified number of failed login attempts. OCDO already employs such a system, courtesy of a feature built into the vBulletin message forum software on which OCDO runs. Current industry standard recommendations can best be summed up as "three strikes and you're out for thirty minutes." This approach allows for a maximum of six attempts per hour, vs OCDO's current twenty attempts per hour.
Is there any reasonable limitation on login duration? Absolutely, although it's much longer than one might think. An administrator certainly wouldn't want to extend the period indefinitely. A reasonable limit might coincide with the maximum length of time one might reasonably remain logged in for a single session. For most people, that ranges between a few minutes to several hours. Even extremists, however, won't be engaged in marathon sessions lasting much longer than sixteen hours, and it's highly unusual that anyone would require more than twenty-four hours.
Thus, many vBulletin administrators safely set their login durations to 1,439 minutes. That's 23 hours and 59 minutes for you and I.
The reason this works has to do with the nature of passwords. If it takes a computer 1 minute to hack a random password of x number of digits, then adding just one more digit increases that time by a factor of 94. In other words, it would take 94 minutes to crack a password of x+1 digits.
The "gone in 60 seconds" variety, however, is an extreme case. In reality, most passwords which can be cracked in a reasonable period of time are cracked in half an hour or so. Thus, adding one more digit extends that time out to well beyond a day.
The primary reason why none of this matters is that online activities don't occur instantaneously. Because of the communication lag inherent in the Internet, cracking a simple, four-digit password would take more than 22 hours, and that assumes such high-speed pipes that the system would allow for 1,000 guesses per hour!
Given the wait mandatory wait period induced after five wrong guesses, this would actually take fifty times longer: 45 days.
Now, let's up the minimum password length by a single digit, to five digits. Instead of 45 days, the online crack time has been extended out to more than 12 years.
Let's make it 8 digits, the same as most banks. Now we're talking about times in excess of 10 Million years.
Ok, so why do we have such short duration logins? The only plausible explanation falls to one of two possible answers: A) Because the admin didn't get the memo. B) To tick off the users.
Extremely high login security can be effectively had by means of ensuring a minimum password length of 8 digits and using the 3/30 rule: after three unsuccessful tries, you're locked out for thirty minutes.
Other measures which will foil other types of attacks include using SSL/TLS for the login exchange.
Last edited:
