EmailDiscussions.com - View Single Post

n5bb · 17 Mar 2019, 06:38 AM

I don’t disagree with the comments you made, but here is my opinion on this.

A conventional brute-force attack on an IMAP account might be attempted by trying to use one username repeatedly with many different passwords, hoping that one will be correct. But the email system can just block all attempts to log in to that particular account from that particular IP address for some timeout interval.
So the attacker might use a bot net to run this attack. Again, rate limiting by the email server can prevent a quick high rate attack on a specific username.
The attacker might then take a completely different approach. They might use phishing over a huge population of users to determine some commonly used passwords and usernames. They then spray these out to a wide range of email servers from a bot net. Since the targets are spread so widely, the IMAP servers don’t see an organized attack. They see a low rate of random bad connection attempts from various IP’s. The reason this works is that (as mentioned in the paper) they use techniques such as phishing so they know they are using some usernames and passwords which are actually in use.
Let’s think about how 2FA works. The password consists of two parts: The fixed password entered by the user and the pseudorandom password generated by the authentication system. There is a shared cyptographic key which is shared between the server and the user device during setup, and the system can be vulnerable during that initial setup process.
A 2FA system is just as (slightly) vulnerable to a brute-force attack as a non-2FA system if the password length and complexity are the same. The real difference is that with a 2FA system you are forced to use a moderately long pseudorandom password rather than “pass” or some other simple string of characters.
With an email client using IMAP (or other conventional access technique) the user typically isn’t aided in generating a long password. They don’t understand the value of a pseudorandom password generator and password safe to keep those unique passwords. So they use the same short password for each of their services - as short and simple as the system will allow. This means that once the attacker discovers one of their passwords, they can spray it around and see if it finds a matching account. If the attacker does this enough times for enough account names with enough passwords they know are in use, they will eventually spray enough around so that a few match. In fact, many people will use the same password as someone else, so the attacker can use just the most popular passwords and spray them around by trying to log in to thousands of different IMAP accounts at various services.
So this is a different statistical technique for attacks. They don’t try to guess your username or password - they use real usernames and passwords accumulated over a long time using phishing (or other sources), then spray them around until they eventually find an account where they match.
The solution is easy. Use a unique and very long pseudorandom password (as long as your client and the email system allows) and save it in a password manager if you worrry about needing to reinstall the email client. You then must be VERY careful to be sure that the password manager is secure. And you must not re-use that password anywhere else - this is the key to personal security. If your account password at one particular service is compromised, this breach won’t affect any other service you use - as long as you keep your main email account (and mobile devices) secure, since this is where services send you password reset instructions.
For example, Fastmail application passwords are automatically generated by Fastmail, and they are 16 characters long with 32 possible values for each character. This is 80 bits of entropy, and is considered unbreakable. As long as the email client is a modern one which allows the stored password to be encrypted, there is no practical way for someone to get your IMAP password. If you use a secure connection to the server (forced by Fastmail) with modern browser and operating system security, a man-in-the-middle can’t intercept and use your password.

Bill

17 Mar 2019, 06:38 AM	#4
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,929	I don’t disagree with the comments you made, but here is my opinion on this. A conventional brute-force attack on an IMAP account might be attempted by trying to use one username repeatedly with many different passwords, hoping that one will be correct. But the email system can just block all attempts to log in to that particular account from that particular IP address for some timeout interval. So the attacker might use a bot net to run this attack. Again, rate limiting by the email server can prevent a quick high rate attack on a specific username. The attacker might then take a completely different approach. They might use phishing over a huge population of users to determine some commonly used passwords and usernames. They then spray these out to a wide range of email servers from a bot net. Since the targets are spread so widely, the IMAP servers don’t see an organized attack. They see a low rate of random bad connection attempts from various IP’s. The reason this works is that (as mentioned in the paper) they use techniques such as phishing so they know they are using some usernames and passwords which are actually in use. Let’s think about how 2FA works. The password consists of two parts: The fixed password entered by the user and the pseudorandom password generated by the authentication system. There is a shared cyptographic key which is shared between the server and the user device during setup, and the system can be vulnerable during that initial setup process. A 2FA system is just as (slightly) vulnerable to a brute-force attack as a non-2FA system if the password length and complexity are the same. The real difference is that with a 2FA system you are forced to use a moderately long pseudorandom password rather than “pass” or some other simple string of characters. With an email client using IMAP (or other conventional access technique) the user typically isn’t aided in generating a long password. They don’t understand the value of a pseudorandom password generator and password safe to keep those unique passwords. So they use the same short password for each of their services - as short and simple as the system will allow. This means that once the attacker discovers one of their passwords, they can spray it around and see if it finds a matching account. If the attacker does this enough times for enough account names with enough passwords they know are in use, they will eventually spray enough around so that a few match. In fact, many people will use the same password as someone else, so the attacker can use just the most popular passwords and spray them around by trying to log in to thousands of different IMAP accounts at various services. So this is a different statistical technique for attacks. They don’t try to guess your username or password - they use real usernames and passwords accumulated over a long time using phishing (or other sources), then spray them around until they eventually find an account where they match. The solution is easy. Use a unique and very long pseudorandom password (as long as your client and the email system allows) and save it in a password manager if you worrry about needing to reinstall the email client. You then must be VERY careful to be sure that the password manager is secure. And you must not re-use that password anywhere else - this is the key to personal security. If your account password at one particular service is compromised, this breach won’t affect any other service you use - as long as you keep your main email account (and mobile devices) secure, since this is where services send you password reset instructions. For example, Fastmail application passwords are automatically generated by Fastmail, and they are 16 characters long with 32 possible values for each character. This is 80 bits of entropy, and is considered unbreakable. As long as the email client is a modern one which allows the stored password to be encrypted, there is no practical way for someone to get your IMAP password. If you use a secure connection to the server (forced by Fastmail) with modern browser and operating system security, a man-in-the-middle can’t intercept and use your password. Bill