Hi Yuhua,
I'm just weighing the risk and chances of the previous suggested
solutions vs the one I mentioned. The previous suggested solution could
permanently lock out all the innocent users vs this technique where innocent
users are less likely to be lockout and will like I said, it's not fool
proof though it might be more efficient. I mean if you want to talk about ip
spoofing and disable of cookies with that intent, we can talk about Denial
of Service attacks etc, it's never ending, there are pretty much unlimited
ways to hack a system, I don't deny that. What we can do, however, is to
choose a more efficient way to deal with things.
--------------------------------------------------
Eric's Free Multiplayer Online Games
http://www.dailyfreegames.com/
--------------------------------------------------
From: yuzhong <yuzhong@mailbox.syr.edu>
To: "Eric Coleman" <eric_smilez@hotmail.com>, hgladden
<hgladden@gmail.com>
CC: secprog <secprog@securityfocus.com>, webappsec
<webappsec@securityfocus.com>
Subject: RE: Account Lockouts
Date: Thu, 2 Dec 2004 14:42:20 -0500
I think people can use spoofed IP address to get around with that. And
Cookies
ain't no good if users choose to block them out.
Just some intuitive ideas, no offense. :)
Yuhua
>===== Original Message From "Eric Coleman" <eric_smilez@hotmail.com>
=====
>Hi everyone,
> For the situation below, I believe you can use cookies to do the
lockout
>or base via IP address if you want to.
>
> A cookie detects how many wrong passwords you entered, or if you want
>advanced coding, track the usernames they try to login with, if the
amount
>is > 10 for example, it is likely to be a script, then just ban that ip
>address forever or set the cookies to last forever. Though this isn't
>foolproof, it's a good way to prevent script attacks and also resolve the
>problem of accidently locking out many accounts.
>
> I hope these help.
>
>
>--------------------------------------------------
>Eric's Free Multiplayer Online Games
>http://www.dailyfreegames.com/
>--------------------------------------------------
>
>
>
>
>>From: Harrison Gladden <hgladden@gmail.com>
>>Reply-To: Harrison Gladden <hgladden@gmail.com>
>>To: webappsec@securityfocus.com, secprog@securityfocus.com
>>Subject: Account Lockouts
>>Date: Wed, 1 Dec 2004 11:52:13 -0600
>>
>>Hello all,
>>
>>My question to the group is about handling account lock outs. Here's
>>the situation, assume there is a web interface that lets users log in
>>and do stuff, but the log-in process is constrained by the network
>>restrictions as well.. Meaning if a user tries to log in X times in Y
>>seconds and fails each time, then the account get locked out.
>>
>>What are successfull techniques that could be used on the web
>>interface to avoid having a script run against it that would
>>potentially lock out 15000 user accounts, and create a headache for
>>the system administrators who have to manually unlock each account?
>>
>>Also assume the current user account names are known by everyone.
>>
>>Possible techniques we've thrown around:
>>1) Allow each user to pick their own username instead of using a
>>standard (i.e. First 3 letters of first name + Full last name)
>>
>>2) Create a set time-out period for each account of X (maybe an hour)
>>
>>
>>Hopefully my question makes sense.
>>
>>Thanks,
>>Harrison
>>--
>>___________________________________
>>Harrison Gladden <hgladden@gmail.com>
>>Computer Engineer & Science Major
>>~Past experience: He who never makes
>> mistakes, never did anything that's worth.~
>
>_________________________________________________________________
>Find it on the web with MSN Search. http://search.msn.com.sg/
Cheers & Regards!
_________________________________________________________________
Take a break! Find destinations on MSN Travel. http://www.msn.com.sg/travel/
