Cookies can be rejected, modified, and replayed. The persistant cookie
that bears the scarlet letter can easily be rejected or deleted. Same
with the counter. The counter can be modified aswell. Even if you
encrypt the cookie that contains the counter, the attacker could probaly
replay the first cookie that says he's never tried to log in or only tried
once.
I dig the image example others mentioned, although, iv'e been suprised by
how well jocr does with "obfuscated images".
At the end of the day this battle is lost, doesnt hurt to put up a fight
though.
Go go gadget client side certificates.
Blake
On Fri, 3 Dec 2004, Eric Coleman wrote:
Hi everyone,
For the situation below, I believe you can use cookies to do the lockout
or base via IP address if you want to.
A cookie detects how many wrong passwords you entered, or if you want
advanced coding, track the usernames they try to login with, if the amount
is > 10 for example, it is likely to be a script, then just ban that ip
address forever or set the cookies to last forever. Though this isn't
foolproof, it's a good way to prevent script attacks and also resolve the
problem of accidently locking out many accounts.
I hope these help.
--------------------------------------------------
Eric's Free Multiplayer Online Games
http://www.dailyfreegames.com/
--------------------------------------------------
From: Harrison Gladden <hgladden@gmail.com>
Reply-To: Harrison Gladden <hgladden@gmail.com>
To: webappsec@securityfocus.com, secprog@securityfocus.com
Subject: Account Lockouts
Date: Wed, 1 Dec 2004 11:52:13 -0600
Hello all,
My question to the group is about handling account lock outs. Here's
the situation, assume there is a web interface that lets users log in
and do stuff, but the log-in process is constrained by the network
restrictions as well.. Meaning if a user tries to log in X times in Y
seconds and fails each time, then the account get locked out.
What are successfull techniques that could be used on the web
interface to avoid having a script run against it that would
potentially lock out 15000 user accounts, and create a headache for
the system administrators who have to manually unlock each account?
Also assume the current user account names are known by everyone.
Possible techniques we've thrown around:
1) Allow each user to pick their own username instead of using a
standard (i.e. First 3 letters of first name + Full last name)
2) Create a set time-out period for each account of X (maybe an hour)
Hopefully my question makes sense.
Thanks,
Harrison
--
___________________________________
Harrison Gladden <hgladden@gmail.com>
Computer Engineer & Science Major
~Past experience: He who never makes
mistakes, never did anything that's worth.~
_________________________________________________________________
Find it on the web with MSN Search. http://search.msn.com.sg/
