Re: Account Lockouts

From: Michael Silk (michaelsilk_at_gmail.com)
Date: 12/02/04

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: Account Lockouts"
    Date: Fri, 3 Dec 2004 09:38:28 +1100
    To: "valdis.kletnieks@vt.edu" <valdis.kletnieks@vt.edu>
    
    

    > Sending the "user" a captcha to re-validate their userid isn't a good idea
    > when there's a known way to beat the captcha. If you bobble this one, then
    > all you've done is enabled the attacker to use the captcha to re-enable the
    > userid so they can toss *another* bunch of invalid attempts for the purpose
    > of locking the user out again

    A known way which is pretty complicated and not just anyone can set up.

    And you can only "beat" the captcha in this scenario by getting the password
    _right_. That would mean sending out a captcha image for each password
    you attempt.

    I can't believe you think captcha add's "no" security here. It add's a
    great deal
    of complications for someone trying to annoy the site - probably far too much
    to bother with.

    -- Michael

    On Thu, 02 Dec 2004 17:24:09 -0500, valdis.kletnieks@vt.edu
    <valdis.kletnieks@vt.edu> wrote:
    > On Fri, 03 Dec 2004 08:24:47 +1100, Michael Silk said:
    > > If you are truly concerned about the visually challenged there could
    > > be a link to a sound which they must play ... but then what if they
    > > don't have speakers .. etc.
    >
    > You know that, I know that, but an amazing number of sites that try to
    > deploy captchas don't actually *do* that...
    >
    > > As to the not-so obvious problem ... yes, it's an issue to be
    > > considered, but think about the problem that we are trying to solve
    > > ... IMO I wouldn't be concerned about this kind of attack.
    >
    > Actually, you *do* need to consider it. Remember we're positing the
    > existence of a script designed to do nasty things by locking out 15K or so users.
    >
    > Sending the "user" a captcha to re-validate their userid isn't a good idea
    > when there's a known way to beat the captcha. If you bobble this one, then
    > all you've done is enabled the attacker to use the captcha to re-enable the
    > userid so they can toss *another* bunch of invalid attempts for the purpose
    > of locking the user out again.....
    >
    > In other words, the use of a captcha doesn't *add* any security at all here -
    > and if a site Gets It Wrong by coding "if the captcha is solved, it's a person
    > and not the script, so we can re-enable the account again" they're just extending
    > the same failure mode....
    >
    >
    >


  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: Account Lockouts"

    Relevant Pages

    • Re: [PHP] Re: My own "captcha" from 2 years ago......
      ... If the code is embedded in the audio filename, or as part of the HTML, ... That said, CAPTCHA can usually be broken by OCR by a serious attacker, ...
      (php.general)
    • Re: [PHP] Re: My own "captcha" from 2 years ago......
      ... I have not finished with the blind testing of my audio Captcha, so I would rather not show an example at the moment. ... But the sound file is assembled "on the fly" and always has the same name -- so, reading the file "access.mp3" doesn't tell the hacker anything. ... That said, CAPTCHA can usually be broken by OCR by a serious attacker, ... The technology lag between one to the other is always only temporary and therein lies some temporary relief. ...
      (php.general)
    • [Full-disclosure] WordPress cformsII plugin CAPTCHA bypass vulnerability
      ... The cformsII plugin for WordPress contains a vulnerability within its ... Captcha Verification functionality. ... This cookie is set when the user is presented with generated captcha image. ... The end result is that an attacker could pre-set a 'valid' captcha string. ...
      (Full-Disclosure)
    • [Full-disclosure] Possible Google Account loophole
      ... google account due to a possible loop hole in their captcha system. ... It happens when a user tries to login to a Google account with a wrong ... If the attacker enters both wrong password and captcha they ...
      (Full-Disclosure)