Paul-
Thanks for the response. I agree the implementation isn't great, but
it's all we could come up with so far. Disabling the username isn't
really feasible because we then affect the legitimate owner of that
login - we work in a pretty competitive market and our clients rely on
our service being available 24/7. A customer will generally freak out
if you tell them their account was locked due to illegal access
attempts. Shoot, I know I would - especially if the account is
sensitive, like a bank or something. Their next question would be did
they get in and what did they get?
We discussed blocking, but can't realistically block IP addresses
because large corporations will generally appear as 1 IP address due to
proxy's (or similar) and blocking an entire company because of one
computer in their company is, well, kind of silly.
The only thing we can think of right now is look for N failed attempts
from an IP address within X amount of time and notify the appropriate
folks of what's going on.
It's definitely a tricky problem and even some of our better engineers
are having a rough go of trying figure out a solution. All the
solutions we can think of only slow someone down, not keep them out. We
briefly (like all of 5 seconds) thought of having image verification for
the login, but clearly that's not feasible either. Customers want to
know that their information is secure, but they don't want to be
hindered by that security, and I agree - it should be as transparent as
possible.
If anything else comes to mind, please let me know. Thanks.
-adam
Paul Benedict wrote:
Adam,
Your idea is good but the implementation is bad. The solution presumes a
malicious user is attempting to break passwords through a serialized
attempt: try, wait, try, wait, try wait, etc. But anyone who can guess
at
your methodology will then just spawn N asynchronous requests, which
will
then defeat your security measure all together. A better solution is to
disable the username, perhaps for a couple minutes, after N invalid
attempts. And on your login screen, display the timestamp of the last
successful login. This will give the true user some information to what
is
going on.
Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
