Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Account Lockouts

from [Valdis . Kletnieks] Network Security [Permanent Link]
Subject: Re: Account Lockouts
Date: Thu, 02 Dec 2004 17:24:09 -0500 
On Fri, 03 Dec 2004 08:24:47 +1100, Michael Silk said:

 If you are truly concerned about the visually challenged there could
be a link to a sound which they must play ... but then what if they
don't have speakers .. etc.


You know that, I know that, but an amazing number of sites that try to
deploy captchas don't actually *do* that...


 As to the not-so obvious problem ... yes, it's an issue to be
considered, but think about the problem that we are trying to solve
... IMO I wouldn't be concerned about this kind of attack.


Actually, you *do* need to consider it.  Remember we're positing the
existence of a script designed to do nasty things by locking out 15K or so 
users.

Sending the "user" a captcha to re-validate their userid isn't a good idea
when there's a known way to beat the captcha.  If you bobble this one, then
all you've done is enabled the attacker to use the captcha to re-enable the
userid so they can toss *another* bunch of invalid attempts for the purpose
of locking the user out again.....

In other words, the use of a captcha doesn't *add* any security at all here -
and if a site Gets It Wrong by coding "if the captcha is solved, it's a person
and not the script, so we can re-enable the account again" they're just 
extending
the same failure mode....

Attachment: pgpKDBzGBMXHx.pgp
Description: PGP signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Account Lockouts, Michael Silk
Next by Date:  RE: Account Lockouts, Dean Saxe
Previous by Thread:  Re: Account Lockouts, Michael Silk
Next by Thread:  Re: Account Lockouts, Michael Silk
Indexes:  [Date] [Thread] [Top] [All Lists]