OK, so adding to my list of features...track number of failed logins! Kevin Horn
On Feb 9, 2008 9:23 PM, Paul Johnston <[EMAIL PROTECTED]> wrote: > > Hi, > > > Hmmm, hadn't thought about captchas...what exactly would that > > require? Just the ability to show the user some extra info, and > > receive some extra info from the user? or is there something else I'm > > not thinking of? > > They're sometimes used to prevent brute force password attacks. They can > also be used to prevent a particular kind of DOS attack. So, you have > your normal login, and after three bad passwords instead of locking the > account, require a captcha for each login attempt. > > I've seen this in use on a few live sites, seems to work ok. To be > honest though, most sites just have lockout on three bad passwords and > live with the denial of service risk (maybe expiring lockouts after 1 > hour). I've not seen that be a problem in practice. > > Paul > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
