But, if you only show the captcha after so many failed logins, wouldn't that be okay? You let them try a few times and if they are still failing, you initiate the captcha.
On Fri, Dec 5, 2008 at 12:48 PM, Bruno Cesar Borges < [EMAIL PROTECTED]> wrote: > I'm totally against captcha. It's annoying for users and just one more > obstacle for criminals - they will always find a way to break it. What I > really suggest is: > > 1) use HTTPS (obviously) > 2) require your users a strong password > 3) if your user tries login in more than X times, disable his/her account > and redirect them to some "Forgot your password?" page. And they will have > to answer some question related to their profile to get an email with a link > to reset their password. > > This is how I usually code websites with user/password support. The reason > I don't like captcha is that I want to let power users to use browser's > password remembering feature, and most of them hate having to type again > some silly word drawed on some silly image. And I also don't want to annoy > non-power users, but still protect them. > > :-) > > -----Original Message----- > From: Maarten Bosteels [mailto:[EMAIL PROTECTED] > Sent: Friday, December 05, 2008 3:37 PM > To: users@wicket.apache.org > Subject: Re: Thread.sleep() for only one session > > > If you're trying to defend against a brute-force password guessing attack, > you could add a captcha to your logon form after x failed login attempts > from one IP address. > > Maarten > > On Fri, Dec 5, 2008 at 5:20 PM, Jeremy Thomerson > <[EMAIL PROTECTED]>wrote: > > > You definitely do NOT want to intentionally sleep a thread - that halts > the > > request, and uses up your thread pool. You instead want the request to > > complete, but you don't want to allow them to continue trying. So, that > > being said, you could: > > > > 1 - add a value to their session like "private long > blockedFromSignInUntil" > > and when they've exceeded your threshold, set that for ten minutes > future. > > This isn't bulletproof since they could start a new session by using a > new > > window / browser / blowing away cookies. > > 2 - if it's on a per-username (rather than a per-session) basis, add a > > similar value to the user - not allowed signin until.... This is > probably > > better anyway, because if I'm "nefarious guy" and I'm trying to sign in > to > > "mr nice guy" account, you lock "mr nice guy" account because you are in > > fact detecting an identity theft attempt. > > 3 - you could do a combo of the above so that I, "nefarious guy" when I > get > > blocked from "mr nice guy" account, can't move on to "mr unsuspecting" > > account. > > > > Then, just have your sign in form be aware of that value in session or > user > > and not allow a sign in to that account or from that session until the > > timeout is expired. > > > > But as a general rule of thumb, never use Thread.sleep in a web app - > > especially somewhere in the request cycle. It'll be shooting yourself in > > the foot. > > > > Hope this helps, > > > > -- > > Jeremy Thomerson > > http://www.wickettraining.com > > > > > > On Fri, Dec 5, 2008 at 9:46 AM, Anton Veretennikov < > > [EMAIL PROTECTED]> wrote: > > > > > Hello all Wicket users. > > > > > > One more question today. > > > I need to implement appearence of sleep if "user" (session, IP > > > address) tries incorrect login many times. > > > Thread.sleep() seems to stop all sessions at once. Any ideas? > > > > > > Thank you! > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > *************************************************************************************************** > "Atenção: Esta mensagem foi enviada para uso exclusivo do(s) > destinatários(s) acima identificado(s), > podendo conter informações e/ou documentos confidencias/privilegiados e seu > sigilo é protegido por > lei. Caso você tenha recebido por engano, por favor, informe o remetente e > apague-a de seu sistema. > Notificamos que é proibido por lei a sua retenção, disseminação, > distribuição, cópia ou uso sem > expressa autorização do remetente. Opiniões pessoais do remetente não > refletem, necessariamente, > o ponto de vista da CETIP, o qual é divulgado somente por pessoas > autorizadas." > > > "Warning: This message was sent for exclusive use of the addressees above > identified, possibly > containing information and or privileged/confidential documents whose > content is protected by law. > In case you have mistakenly received it, please notify the sender and > delete it from your system. > Be noticed that the law forbids the retention, dissemination, distribution, > copy or use without > express authorization from the sender. Personal opinions of the sender do > not necessarily reflect > CETIP's point of view, which is only divulged by authorized personnel." > > *************************************************************************************************** >
