Re: Account Lockouts

[Burak Bilen <bilen () metu edu tr>]

Many  web sites(ex :yahoo) use image validation for blocking automatic 
registration.
You can use the same technique. For example before a user tries to 
authenticate himself
you make him write the thing which is seen on an image, inside a textbox 
. If he writes the
thing what is seen on the image wrongly, you don't let him go to the 
authentication stage. Everytime a request
comes you should put a random image. By this way you make sure that the 
request is coming from
a real person, since it is difficult to recognize the image automatically.

Harrison Gladden wrote:

> Hello all, 
>
> My question to the group is about handling account lock outs.  Here's
> the situation, assume there is a web interface that lets users log in
> and do stuff, but the log-in process is constrained by the network
> restrictions as well.. Meaning if a user tries to log in X times in Y
> seconds and fails each time, then the account get locked out.
>
> What are successfull techniques that could be used on the web
> interface to avoid having a script run against it that would
> potentially lock out 15000 user accounts, and create a headache for
> the system administrators who have to manually unlock each account?
>
> Also assume the current user account names are known by everyone.  
>
> Possible techniques we've thrown around:
> 1)  Allow each user to pick their own username instead of using a
> standard (i.e. First 3 letters of first name + Full last name)
>
> 2) Create a set time-out period  for each account of  X (maybe an hour) 
>
>
> Hopefully my question makes sense.  
>
> Thanks,
> Harrison
>