Limit the number of chances a non (Non-Protonmail) User to enter the password !
One of my friends told me about proton mail and sent me an encrypted email, so i got a link and then went on to the log in page and found out that my friend forgot to send me the password. Well i texted him and in the mean time the password hint said 6 digits so i wrote a simple brute force program and opened the mail. Simply because you guys forgot to limit the number of times a user can enter the password :)
This was resolved in 2016, we’re updating the topic now.
-
Verito commented
Not to be rude or anything but typically someone would not encrypt a file that was 6 digits. It's no surprise that the password was cracked. Encrypted emails and files as such should be bare minimum of 12 characters, assuming that you actually don't want 3rd parties to see your email that is.
What i am trying to say is that this would not be a feature protonmail would implement as today's technology can't crack passwords more that 18 characters without dedicating a lot of money and resources. 6 digits is something just about anyone could crack in about 10mins. So please think about what you say and atleast do some research before you say things like that. It doesn't matter that the topic was changed what matters is what makes sense.
What makes sense to me would be what others are suggesting, a timer to prevent bruteforcing of ProtonMail accounts, I imagine protonmail would pick up bruteforcing with the numerous password attempts.. So maybe that isn't the brightest idea either.
-
Anonymous commented
DOES ANYONE READ WHAT THE INITIAL POST WAS, OR DO YOU JUST POST COMMENTS WITHOUT READING? YOU ALL MISINTERPRETED THE INITIAL MESSAGE. THIS IS ABOUT ****NON PROTONMAIL USERS****. WHAT THE HELL.
-
Clyde commented
My password is 122 characters. That might be a bad.
-
Tim commented
If this has to do with a network access, then yes, there should be a 3 second delay to prevent brute forcing. If this is in reference to client side information, then of course this request makes no sense as anyone can simply obtain the encrypted information without needing the client and brute force it.
-
Anonymous commented
At least you should introduce some delay between accepting new password submissions attempts.
Should be blocked on client side and as well as on server side to prevent scripted attacks. -
Verito commented
Your comment just gave me an idea.
Perhaps there should be an option to add a MAC Address filter where you can restrict access to your Protonmail account for people who are not on that filter and have something similar to Steamguard in place to track logins,ips, MAC Addresses and locations which can only be accessed by the user.
I do agree with Joel with how annoying a password timer can be however it is a good idea but perhaps the user should get custom options over this but i definitely think something like that should be implemented. I do think that in the event a account lockdown was active then only the people on the Mac Address filter list can login and bypass the lockdown.
Other than that an email could be sent to your recovery email with a link/pin and providing a long and randomly generated password which will be embedded in an encrypted email which requires your inbox decryption password to open.
There's plenty of methods to use but the more complex the measure the harder it is to implement but the greater the security and lower risks.
-
T commented
How about minimum password complexity rules (maybe combined with a password strength meter)?
And to make brute force harder implement exponential backoff, i.e. after a user enters a wrong password, wait 5 seconds before a retry is possible, then 10s, 20s, …, and reset that timer after some amount of time has passed.
-
Cameron Taylor commented
This is a terrible idea for one very important reason: Account Lock-out.
You can brute-force a ProtonMail account with incorrect passwords and lock out the account indefinitely. You could try limiting the number of allowed entries per IP address or MAC address, but a proxy or VPN could be used in rotation, but under this scheme you could also lock-out the user by spoofing the address.
I would suggest OP use a password manager (e.g. LastPass, KeePass) and create a very strong password. The password manager will auto-type the password for you. I recommend using a password that's over 256-bits of entropy.
-
Markus Jansson commented
> I disagree with you Markus Jansson, this is not stupid demand.
Apparently you dont understand what I wrote. Yes, it is very stupid idea and cannot be implemented.
> Protonmail should atleast suggest to enter password that is hard
> to crack by brute force methods.Naturally, but this is not what the original poster wanted.
> Also there shouldn't be any hints when entering password.
Users should be able to decide that. Without password hint someone might choose poor passphrase and compromise their account. Anyway, there is no protection against stupid users, no what so ever.
> Although Protonmail can't limit the number of chances
> to enter password, it can give advices to make virtually
> uncrackable password boosting security at the highest level.Naturally, but this is not what the original poster wanted.
-
Anonymous commented
I disagree with you Markus Jansson, this is not stupid demand. Protonmail should atleast suggest to enter password that is hard to crack by brute force methods. Also there shouldn't be any hints when entering password. Although Protonmail can't limit the number of chances to enter password, it can give advices to make virtually uncrackable password boosting security at the highest level.
-
Markus Jansson commented
THIS IS STUPID, learn the facts about Protonmail before asking for something like this!
The message is located and downloadable from the address by anyone. It is openPGP encrypted. Anyone can simply "view source" from the page and copy it from the source, for example
-----BEGIN PGP MESSAGE-----
Version: OpenPGP.js v0.11.0-PM
Comment: http://openpgpjs.orgwy4ECQMIn1VfcC2PxYVgFCiceEIhwCDZAz81yirUL5etojHGbBErJxHu06OY
+zb/0lQBP98mbx6ndgNZhUa+/Ao+sZJSQU5JBFoQq6S9QvFr952VdsIO3VZP
riWAdpx13KPQeB7+CKDwefOr0UIdqP7wMBD8GIOHLMgOD7U3KMSNN6Z/53U=
=m7/J
-----END PGP MESSAGE-----and therefore bruteforce it on their own computers as long as they possibly want to.
DUE THE NATURE OF PROTONMAIL - THAT THEY DONT HAVE THE DECRYPTION KEY - THEY CANNOT LIMIT THE ACCESS TO THIS OPENPGP MESSAGE BY USING ANY KINDS OF MECHANISMS THAT YOU ARE ASKING!
So please stop upvoting this stupid, useless idea from people who dont understand anything about how Protonmail works!