WebApp Sec mailing list archives
RE: Account Lockouts
From: Michael Silk <michaelsilk () gmail com>
Date: Thu, 2 Dec 2004 15:10:21 +1100
Hi, A pretty easy solution exists and is to use "http://www.captcha.net/" images before locking the account. I.e. 3 or 4 or N invalid attempts results in the next attempt requiring username + password + captcha image response before being processed. In this way a user can still log in (but will need to provide captcha response) but an automated script can't regonise (hopefully :) the captcha image so it can't force the account to be locked :) -- Michael PS: Gmail implements it, so you can try it next time you login to your own account :) -----Original Message----- From: Harrison Gladden [mailto:hgladden () gmail com] Sent: Thursday, 2 December 2004 4:52 AM To: webappsec () securityfocus com; secprog () securityfocus com Subject: Account Lockouts Hello all, My question to the group is about handling account lock outs. Here's the situation, assume there is a web interface that lets users log in and do stuff, but the log-in process is constrained by the network restrictions as well.. Meaning if a user tries to log in X times in Y seconds and fails each time, then the account get locked out. What are successfull techniques that could be used on the web interface to avoid having a script run against it that would potentially lock out 15000 user accounts, and create a headache for the system administrators who have to manually unlock each account? Also assume the current user account names are known by everyone. Possible techniques we've thrown around: 1) Allow each user to pick their own username instead of using a standard (i.e. First 3 letters of first name + Full last name) 2) Create a set time-out period for each account of X (maybe an hour) Hopefully my question makes sense. Thanks, Harrison -- ___________________________________ Harrison Gladden <hgladden () gmail com> Computer Engineer & Science Major ~Past experience: He who never makes mistakes, never did anything that's worth.~
Current thread:
- Account Lockouts Harrison Gladden (Dec 01)
- Re: Account Lockouts Burak Bilen (Dec 02)
- Re: Account Lockouts Valdis . Kletnieks (Dec 03)
- <Possible follow-ups>
- RE: Account Lockouts David LeBlanc (Dec 02)
- RE: Account Lockouts Michael Silk (Dec 03)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Account Lockouts Valdis . Kletnieks (Dec 03)
- Message not available
- RE: Account Lockouts Skander Ben Mansour (Dec 06)