On Tue, 4 Aug 2009 16:40:27 -0400 Bob Fishel <b...@bobforthejob.com> wrote:
> On Tue, Aug 4, 2009 at 1:45 AM, Bob Fishel<b...@bobforthejob.com> > wrote: > > From the api documentation: > > > > "Because this method can be a vector for a brute force dictionary > > attack to determine a user's password, it is limited to 15 requests > > per 60 minute period (starting from your first request)." > > > > Is this per user? > > > > ie: if my server queries user A and gets credentials verified ok > > after 14 other users verify am I locked out or is it just after 15 > > tries for the same user? The former would seem illogical but I just > > want to make sure... > > > > Thanks, > > > > Bob > > > > I hate to "bump" this as it were but does anyone have any insight? > > Thanks, > > Bob > The actual behavior is 15 requests, regardless of success, per username. I tested it by using curl with one account until I got an error then I tried it with a different account - successfully - and retried the first account to make sure the block was still in place. I also changed the source IP address in curl to verify that access is not tracked by IP Address. I would strongly recommend OAuth for verifying users, or at least making it an option, as there is a DoS attack possible against service providers who rely on this API for access to their app. Chris Babcock
signature.asc
Description: PGP signature