WebApp Sec mailing list archives
Re: Account Lockouts
From: Burak Bilen <bilen () metu edu tr>
Date: Thu, 02 Dec 2004 11:20:38 +0200
Many web sites(ex :yahoo) use image validation for blocking automatic registration. You can use the same technique. For example before a user tries to authenticate himself you make him write the thing which is seen on an image, inside a textbox . If he writes the thing what is seen on the image wrongly, you don't let him go to the authentication stage. Everytime a request comes you should put a random image. By this way you make sure that the request is coming from
a real person, since it is difficult to recognize the image automatically. Harrison Gladden wrote:
Hello all,My question to the group is about handling account lock outs. Here's the situation, assume there is a web interface that lets users log in and do stuff, but the log-in process is constrained by the network restrictions as well.. Meaning if a user tries to log in X times in Y seconds and fails each time, then the account get locked out. What are successfull techniques that could be used on the web interface to avoid having a script run against it that would potentially lock out 15000 user accounts, and create a headache for the system administrators who have to manually unlock each account?Also assume the current user account names are known by everyone.Possible techniques we've thrown around: 1) Allow each user to pick their own username instead of using a standard (i.e. First 3 letters of first name + Full last name)2) Create a set time-out period for each account of X (maybe an hour)Hopefully my question makes sense.Thanks, Harrison
Current thread:
- Account Lockouts Harrison Gladden (Dec 01)
- Re: Account Lockouts Burak Bilen (Dec 02)
- Re: Account Lockouts Valdis . Kletnieks (Dec 03)
- <Possible follow-ups>
- RE: Account Lockouts David LeBlanc (Dec 02)
- RE: Account Lockouts Michael Silk (Dec 03)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Account Lockouts Valdis . Kletnieks (Dec 03)
- Message not available
- RE: Account Lockouts Skander Ben Mansour (Dec 06)