Re: Account Lockouts
From: Michael Silk (michaelsilk_at_gmail.com)
Date: 12/02/04
- Previous message: Tarun Bansal: "RE: Account Lockouts"
- Maybe in reply to: Harrison Gladden: "Account Lockouts"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: Account Lockouts"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: Account Lockouts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 3 Dec 2004 09:38:28 +1100 To: "valdis.kletnieks@vt.edu" <valdis.kletnieks@vt.edu>
> Sending the "user" a captcha to re-validate their userid isn't a good idea
> when there's a known way to beat the captcha. If you bobble this one, then
> all you've done is enabled the attacker to use the captcha to re-enable the
> userid so they can toss *another* bunch of invalid attempts for the purpose
> of locking the user out again
A known way which is pretty complicated and not just anyone can set up.
And you can only "beat" the captcha in this scenario by getting the password
_right_. That would mean sending out a captcha image for each password
you attempt.
I can't believe you think captcha add's "no" security here. It add's a
great deal
of complications for someone trying to annoy the site - probably far too much
to bother with.
-- Michael
On Thu, 02 Dec 2004 17:24:09 -0500, valdis.kletnieks@vt.edu
<valdis.kletnieks@vt.edu> wrote:
> On Fri, 03 Dec 2004 08:24:47 +1100, Michael Silk said:
> > If you are truly concerned about the visually challenged there could
> > be a link to a sound which they must play ... but then what if they
> > don't have speakers .. etc.
>
> You know that, I know that, but an amazing number of sites that try to
> deploy captchas don't actually *do* that...
>
> > As to the not-so obvious problem ... yes, it's an issue to be
> > considered, but think about the problem that we are trying to solve
> > ... IMO I wouldn't be concerned about this kind of attack.
>
> Actually, you *do* need to consider it. Remember we're positing the
> existence of a script designed to do nasty things by locking out 15K or so users.
>
> Sending the "user" a captcha to re-validate their userid isn't a good idea
> when there's a known way to beat the captcha. If you bobble this one, then
> all you've done is enabled the attacker to use the captcha to re-enable the
> userid so they can toss *another* bunch of invalid attempts for the purpose
> of locking the user out again.....
>
> In other words, the use of a captcha doesn't *add* any security at all here -
> and if a site Gets It Wrong by coding "if the captcha is solved, it's a person
> and not the script, so we can re-enable the account again" they're just extending
> the same failure mode....
>
>
>
- Previous message: Tarun Bansal: "RE: Account Lockouts"
- Maybe in reply to: Harrison Gladden: "Account Lockouts"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: Account Lockouts"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: Account Lockouts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
