3

I am looking for more details regarding Firebase protection against brute force password guessing.

In this thread, Kato says "we throttle requests by origin to mitigate any brute force approaches", can any more info be given ? especially:

  • when does throttling kicks in and if at any point the client is completely blocked for a certain time etc ?

  • can we have a way in the security rules to specify a number of failed attempts after which the client will be locked out for a certain amount of time ?

I want to switch to a digit only 'numpad' password on my app and am worried an enumeration attack. I need to determine the minimum number of digits to make passwords safe.

Thanks!

Community
  • 1
  • 1
kofifus
  • 17,260
  • 17
  • 99
  • 173
  • 3
    *firebaser here* We do not disclose such information in public documentation or fora. If you have a specific problem, [reach out to Firebase support](https://firebase.google.com/support/contact/troubleshooting/) for personalized help in troubleshooting. If you'd like to request a specific change to a feature (or a new feature), fill out [this feature request form](https://firebase.google.com/support/contact/bugs-features/). – Frank van Puffelen Jan 12 '17 at 00:48

1 Answers1

5

Frank answered in the comments, so I'm just adding two additional information that might be useful:

  • Firebase prevents using passwords that have less than 6 characters (see FirebaseAuthWeakPasswordException)
  • A specific error code (ERROR_TOO_MANY_REQUESTS) is thrown when unusual activity is detected on a specific device. So you could easily make some tests to see how fast the error is triggered. I just did, and 3-4 incorrect password attempts triggered the error and blocked the requests from my device.

From the doc: auth/too-many-requests Thrown if requests are blocked from a device due to unusual activity. Trying again after some delay would unblock.

Kqtr
  • 5,824
  • 3
  • 25
  • 32