|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Account Lockouts
From: Mark Burnett (mb
xato.net)
Date: Thu Dec 02 2004 - 14:26:33 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I wrote an article not too long ago (http://www.owasp.org/columns/mburnett/brutegeneral.html) that talks about the disadvantages of using account lockouts and suggests some countermeasures. Abusing account lockout is an interesting attack that I suspect might become more refined and more talked about in the future, but for now is largely neglected. For example, one could use selective account lockout to block others from time-sensitive transactions such as auction bids, financial transactions, critical e-mails, etc.
Mark Burnett
--------------------------------------------------------------------
Hacking The Code: ASP.NET Web Application Security
http://www.hackingthecode.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]