Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Account Lockouts

from [Michael Wojcik] Network Security [Permanent Link]
Subject: RE: Account Lockouts
Date: Mon, 6 Dec 2004 17:48:26 -0800 
From: The Amazing Dragon [mailto:ehem@cs.pdx.edu] 
Sent: Monday, 06 December, 2004 01:22



Using SIRDS as a transformation might be pretty effective against current
recognizers.


I've never had any luck at seeing SIRDS pseudo-images, and I know other
people who've had similar difficulty.  I suspect that SIRDS would exclude
too many users.


Might be
interesting to use patterns similar to color-blindness tests, but then
you need to be able to count on someone to be color-sensitive (though you
can then use this as secondary protection, color-blind get a different
answer).


Thanks.  I'm colorblind (weak green response), too.  (On the other hand, I
rarely forget my passwords...)

And the different mechanism for colorblind users will either be easier to
recognize than the color-discrimination one, in which case the attacker can
target it, or harder, in which case why not use it for everyone?


This still only works as long as someone doesn't produce an OCR that
recognizes them. Only a matter of time.


Indeed.  And it offers no additional strength against human-assisted
attacks, which are probably easier to mount anyway.

CAPTCHAs (what a godawful name) are inherently flawed.  They were created to
distinguish between human users and programs.  That distinction turns out to
be of relatively little value for security in most of the contexts where
CAPTCHAs are being deployed.  CAPTCHAs try to address the wrong problem.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Account Lockouts, David LeBlanc
Next by Date:  RE: Account Lockouts, Cunningham, Andy
Previous by Thread:  RE: Account Lockouts, David LeBlanc
Next by Thread:  RE: Account Lockouts, Cunningham, Andy
Indexes:  [Date] [Thread] [Top] [All Lists]