Re: Account Lockouts

On Fri, 03 Dec 2004 09:38:28 +1100, Michael Silk said:

> And you can only "beat" the captcha in this scenario by getting the password
> _right_. That would mean sending out a captcha image for each password
> you attempt.

But remember - once you set it up, it's the same effort for one or a thousand.

> I can't believe you think captcha add's "no" security here. It add's a
> great deal
> of complications for someone trying to annoy the site - probably far too much
> to bother with.

Well.. "too much to bother with".  That's OK - *IF* your threat model consists
only of attacks by people who will give up if it gets difficult, and doesn't
include the possibility that you're being attacked by somebody who is seriously
determined to make life difficult for you.

And remember - if they know enough about your system to know that such a script
would do *anything*, they're either (a) an (probably very disgruntled) insider
determined to do you harm or (b) an outsider who's *already* invested all the
effort in figuring out *this* much about your setup.

Remember - we're *NOT* discussing "how to secure it against the bugtraq exploit
du jour".  We're specifically discussing how to secure it against somebody who
is *already* doing a one-off customized script to do this attack....

If you're not assuming an infinite amount of determination (you're allowed to
assume finite supplies of resources and technical clue, of course) on the part
of such an attacker, you need to do a re-examination of your threat model...

pgpwL9gK3zAix.pgp
Description: PGP signature