Hi,
A pretty easy solution exists and is to use "http://www.captcha.net/";
images before locking the account.
I.e. 3 or 4 or N invalid attempts results in the next attempt
requiring username + password + captcha image response before being
processed.
In this way a user can still log in (but will need to provide captcha
response) but an automated script can't regonise (hopefully :) the
captcha image so it can't force the account to be locked :)
-- Michael
PS: Gmail implements it, so you can try it next time you login to your
own account :)
-----Original Message-----
From: Harrison Gladden [mailto:hgladden@gmail.com]
Sent: Thursday, 2 December 2004 4:52 AM
To: webappsec@securityfocus.com; secprog@securityfocus.com
Subject: Account Lockouts
Hello all,
My question to the group is about handling account lock outs. Here's
the situation, assume there is a web interface that lets users log in
and do stuff, but the log-in process is constrained by the network
restrictions as well.. Meaning if a user tries to log in X times in Y
seconds and fails each time, then the account get locked out.
What are successfull techniques that could be used on the web
interface to avoid having a script run against it that would
potentially lock out 15000 user accounts, and create a headache for
the system administrators who have to manually unlock each account?
Also assume the current user account names are known by everyone.
Possible techniques we've thrown around:
1) Allow each user to pick their own username instead of using a
standard (i.e. First 3 letters of first name + Full last name)
2) Create a set time-out period for each account of X (maybe an hour)
Hopefully my question makes sense.
Thanks,
Harrison
--
___________________________________
Harrison Gladden <hgladden@gmail.com>
Computer Engineer & Science Major
~Past experience: He who never makes
mistakes, never did anything that's worth.~
