|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Account Lockouts
From: Eric Coleman (eric_smilez
hotmail.com)
Date: Thu Dec 02 2004 - 11:35:38 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi everyone,
For the situation below, I believe you can use cookies to do the lockout
or base via IP address if you want to.
A cookie detects how many wrong passwords you entered, or if you want
advanced coding, track the usernames they try to login with, if the amount
is > 10 for example, it is likely to be a script, then just ban that ip
address forever or set the cookies to last forever. Though this isn't
foolproof, it's a good way to prevent script attacks and also resolve the
problem of accidently locking out many accounts.
I hope these help.
--------------------------------------------------
Eric's Free Multiplayer Online Games
http://www.dailyfreegames.com/
--------------------------------------------------
>From: Harrison Gladden <hgladdengmail.com>
>Reply-To: Harrison Gladden <hgladdengmail.com>
>To: webappsecsecurityfocus.com, secprogsecurityfocus.com
>Subject: Account Lockouts
>Date: Wed, 1 Dec 2004 11:52:13 -0600
>
>Hello all,
>
>My question to the group is about handling account lock outs. Here's
>the situation, assume there is a web interface that lets users log in
>and do stuff, but the log-in process is constrained by the network
>restrictions as well.. Meaning if a user tries to log in X times in Y
>seconds and fails each time, then the account get locked out.
>
>What are successfull techniques that could be used on the web
>interface to avoid having a script run against it that would
>potentially lock out 15000 user accounts, and create a headache for
>the system administrators who have to manually unlock each account?
>
>Also assume the current user account names are known by everyone.
>
>Possible techniques we've thrown around:
>1) Allow each user to pick their own username instead of using a
>standard (i.e. First 3 letters of first name + Full last name)
>
>2) Create a set time-out period for each account of X (maybe an hour)
>
>
>Hopefully my question makes sense.
>
>Thanks,
>Harrison
>--
>___________________________________
>Harrison Gladden <hgladdengmail.com>
>Computer Engineer & Science Major
>~Past experience: He who never makes
> mistakes, never did anything that's worth.~
_________________________________________________________________
Find it on the web with MSN Search. http://search.msn.com.sg/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]