|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Account Lockouts
From: Michael Silk (michaelsilk
gmail.com)
Date: Thu Dec 02 2004 - 17:02:33 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> > And you can only "beat" the captcha in this scenario by getting the password
> > _right_. That would mean sending out a captcha image for each password
> > you attempt.
>
> But remember - once you set it up, it's the same effort for one or a thousand.
Not quite sure what you mean here - obviously for each attempt at
login the captcha image supplied would be different ... such that if
they were to attempt to brute force (or just lock-out) 15,000 accounts
that 15,000 images * a subsantial amount.
Finding this many users - and finding such an amount to respond in a
timely manner - would surely not be trivial.
> Well.. "too much to bother with". That's OK - *IF* your threat model consists
> only of attacks by people who will give up if it gets difficult, and doesn't
> include the possibility that you're being attacked by somebody who is seriously
> determined to make life difficult for you.
Sure .. but how would you solve this issue, then, if you were truly
concerned about someone targetting your site specifically to lock out
all the accounts ?
Captcha images can be bypassed, you say.
What then ?
A possible solution could be to ask them a secondary question (i.e.
"Secret Question") which must be answered correctly before the request
is processed.
Of course, if the question is predictable or guessable by your
"inside" attacker (i.e: What is your surname?) then it could also be
bypassed - but it would be more difficult.
-- Michael
On Thu, 02 Dec 2004 17:49:31 -0500, valdis.kletnieksvt.edu
<valdis.kletnieksvt.edu> wrote:
> On Fri, 03 Dec 2004 09:38:28 +1100, Michael Silk said:
>
> > And you can only "beat" the captcha in this scenario by getting the password
> > _right_. That would mean sending out a captcha image for each password
> > you attempt.
>
> But remember - once you set it up, it's the same effort for one or a thousand.
>
> > I can't believe you think captcha add's "no" security here. It add's a
> > great deal
> > of complications for someone trying to annoy the site - probably far too much
> > to bother with.
>
> Well.. "too much to bother with". That's OK - *IF* your threat model consists
> only of attacks by people who will give up if it gets difficult, and doesn't
> include the possibility that you're being attacked by somebody who is seriously
> determined to make life difficult for you.
>
> And remember - if they know enough about your system to know that such a script
> would do *anything*, they're either (a) an (probably very disgruntled) insider
> determined to do you harm or (b) an outsider who's *already* invested all the
> effort in figuring out *this* much about your setup.
>
> Remember - we're *NOT* discussing "how to secure it against the bugtraq exploit
> du jour". We're specifically discussing how to secure it against somebody who
> is *already* doing a one-off customized script to do this attack....
>
> If you're not assuming an infinite amount of determination (you're allowed to
> assume finite supplies of resources and technical clue, of course) on the part
> of such an attacker, you need to do a re-examination of your threat model...
>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]