And you can only "beat" the captcha in this scenario by getting the password
_right_. That would mean sending out a captcha image for each password
you attempt.
But remember - once you set it up, it's the same effort for one or a thousand.
Not quite sure what you mean here - obviously for each attempt at
login the captcha image supplied would be different ... such that if
they were to attempt to brute force (or just lock-out) 15,000 accounts
that 15,000 images * a subsantial amount.
Finding this many users - and finding such an amount to respond in a
timely manner - would surely not be trivial.
Well.. "too much to bother with". That's OK - *IF* your threat model consists
only of attacks by people who will give up if it gets difficult, and doesn't
include the possibility that you're being attacked by somebody who is
seriously
determined to make life difficult for you.
Sure .. but how would you solve this issue, then, if you were truly
concerned about someone targetting your site specifically to lock out
all the accounts ?
Captcha images can be bypassed, you say.
What then ?
A possible solution could be to ask them a secondary question (i.e.
"Secret Question") which must be answered correctly before the request
is processed.
Of course, if the question is predictable or guessable by your
"inside" attacker (i.e: What is your surname?) then it could also be
bypassed - but it would be more difficult.
-- Michael
On Thu, 02 Dec 2004 17:49:31 -0500, valdis.kletnieks@vt.edu
<valdis.kletnieks@vt.edu> wrote:
On Fri, 03 Dec 2004 09:38:28 +1100, Michael Silk said:
And you can only "beat" the captcha in this scenario by getting the password
_right_. That would mean sending out a captcha image for each password
you attempt.
But remember - once you set it up, it's the same effort for one or a thousand.
I can't believe you think captcha add's "no" security here. It add's a
great deal
of complications for someone trying to annoy the site - probably far too
much
to bother with.
Well.. "too much to bother with". That's OK - *IF* your threat model consists
only of attacks by people who will give up if it gets difficult, and doesn't
include the possibility that you're being attacked by somebody who is
seriously
determined to make life difficult for you.
And remember - if they know enough about your system to know that such a
script
would do *anything*, they're either (a) an (probably very disgruntled) insider
determined to do you harm or (b) an outsider who's *already* invested all the
effort in figuring out *this* much about your setup.
Remember - we're *NOT* discussing "how to secure it against the bugtraq
exploit
du jour". We're specifically discussing how to secure it against somebody who
is *already* doing a one-off customized script to do this attack....
If you're not assuming an infinite amount of determination (you're allowed to
assume finite supplies of resources and technical clue, of course) on the part
of such an attacker, you need to do a re-examination of your threat model...
