Saturday, September 26, 2009

Spam bots use strong passwords

I've been logging the details of the failed attempts to register on a forum. I described this in my accidental discovery of defeating spam bots with email names. I keep an eye on these logs to understand the nature of spam bots and to pick out markers that make an attempted registration more likely to be coming from a spam bot than from a human. Using the word spam in front of bot in this context may be redundant because I don't know of any other type of bot that would be used for registering on a forum.

I've noticed that all bots that failed to register used a strong password. Not super strong but strong. i.e. the passwords were all between 8 and 12 characters long, had at least one lower case letter, one upper case letter, one number and do not contain any known words. I would classify super strong as password that meets those criteria but also had a punctuation mark in it as well.

One thing that I have not done yet is to rate the successful passwords that have been entered.

First of all, I don't like logging the passwords when there is a registration failure. I don't like storing passwords in plain text even if it's only me that can see them and I only store them for a very short period of time. It's not good practice. It is my intention to set up a table and record attempted registrations and in that table include a bit field for success of registration along with a strong password score. I will then be able to draw stats about the type of passwords the average user is using versus bot/failed passwords and work out if a strong password is a good marker to help score a bot registration.

The only problem that I have at the moment is that the same bots are hitting the site several times an hour with the same username, email and password so I'd have to use those 3 fields as unique identifies which would mean hashing the password and storing that as well.

No comments:

Post a Comment