I have determined that while the UCS is well-behaved and imposes a correct 3s delay on all login attempts (including using the web interface), they do not prevent a client opening multiple connections. It is possible to check passwords in batches of ten, and get the average delay to under a quarter of a second per password. This extra order of magnitude allows a dictionary attack to be run on the 10000 most common words in well under an hour. Furthermore, I have done this from a remote server in the USA in the interests of experimentation and found no throttling or shaping in effect. Without having really pushed the limit of what is possible using more careful pipelining, I was able to easily achieve a rate of over 100,000 passwords checked per day. I only ran for a few hours, so hopefully over a longer time, someone at the UCS would notice the traffic. This seems to me grossly above what should be considered an acceptable quantity of information to give to a cracker, given that roughly one third of user passwords, according to surveys, satisfy the requirement for a digit by appending “1” to the password.
I recommend that the UCS implement a staggered timeout, as on many other services, so that each login attempt raises the delay, up to a maximum of several minutes. This is sufficient to render remote dictionary attacks useless, although the necessary state might mean a bit of writing. reCAPTCHAs after several failed logins would also work, but aren’t necessarily any easier or better even though they are familiar.
Multiple connections may also be opened to Raven and via SSH to guess Raven and PWF passwords. SSH does not implement incremental increases to delay, and I do not know what the recommended protection there should be. It is harder to open multiple connections, and I haven’t stressed the connection out. It might be that the speed-up isn’t quite enough to make the passwords at risk. [SSH in fact has an option to limit unauthenticated connections which should be set pretty low. It’s at least 2, and I daren’t find out just how high by trial and error, so I’ve left it at that.]
I felt slightly guilty while running the script, and hope that this early disclosure is enough to convince the UCS, should they track me down, that I am “white hat”, rather than genuinely trying to get passwords.
Update: I sent an email to the UCS, who reprimanded me but let me off. Think of this as a bit of a hasty mistake and chalk it up to experience. Contrition all round for causing an incident.