12 Aug, 2013, KaVir wrote in the 1st comment:
Votes: 0
Kjwah said:
There can't be that many accounts of people trying to brute force accounts on MUDs. I'm sure there's those few people that do but other than that… I just don't see it.

I've had players try to brute-force each others passwords, so I implemented a fairly simple workaround:

If you enter the wrong password three times for the same character, or ten times in total, you're blocked from logging on characters who last connected from an IP address other than your own.

This doesn't apply if the character last connected from your current IP address, and if you do successfully connect then your failed attempts for that character are reset. After an hour, you're allowed to make another login attempt from a different IP address. The block also goes away with reboots.

Obviously you can use a proxy to get more tries, but you can't just set up a script to run through thousands of passwords overnight.
12 Aug, 2013, Kjwah wrote in the 2nd comment:
Votes: 0
KaVir said:
Kjwah said:
There can't be that many accounts of people trying to brute force accounts on MUDs. I'm sure there's those few people that do but other than that… I just don't see it.

I've had players try to brute-force each others passwords, so I implemented a fairly simple workaround:

If you enter the wrong password three times for the same character, or ten times in total, you're blocked from logging on characters who last connected from an IP address other than your own.

This doesn't apply if the character last connected from your current IP address, and if you do successfully connect then your failed attempts for that character are reset. After an hour, you're allowed to make another login attempt from a different IP address. The block also goes away with reboots.

Obviously you can use a proxy to get more tries, but you can't just set up a script to run through thousands of passwords overnight.


I do something close to what you do with some of my contracts, though, a little differently. :) I wasn't trying to say that brute forcing doesn't happen, it's just not an everyday thing MUDs deal with in terms of hundreds and thousands of people trying to brute force tons of accounts. It's generally pretty isolated when it comes to MUDs.
12 Aug, 2013, Scandum wrote in the 3rd comment:
Votes: 0
Fastest you can do is about 1 attempt per second, so to brute force a 6 character 6 bit password you're looking at about 1000 years. Now the attack can be distributed, some MUDs accept 10 connections per second, so that would bring it down to 100 years.

It's easier to apply to the NSA and look up the data stream while your supervisor isn't looking.
12 Aug, 2013, KaVir wrote in the 4th comment:
Votes: 0
Well "brute force" was perhaps not quite accurate, in retrospect I think they were probably just taking lots of guesses, or maybe using a dictionary attack - a lot of players do pick really bad passwords. The login-blocker put an end to it though.
0.0/4