Indeed.
-----Original Message----- From: James Carman [mailto:[EMAIL PROTECTED] Sent: Friday, December 05, 2008 3:52 PM To: users@wicket.apache.org Subject: Re: Thread.sleep() for only one session But, if you only show the captcha after so many failed logins, wouldn't that be okay? You let them try a few times and if they are still failing, you initiate the captcha. On Fri, Dec 5, 2008 at 12:48 PM, Bruno Cesar Borges < [EMAIL PROTECTED]> wrote: > I'm totally against captcha. It's annoying for users and just one more > obstacle for criminals - they will always find a way to break it. What I > really suggest is: > > 1) use HTTPS (obviously) > 2) require your users a strong password > 3) if your user tries login in more than X times, disable his/her account > and redirect them to some "Forgot your password?" page. And they will have > to answer some question related to their profile to get an email with a link > to reset their password. > > This is how I usually code websites with user/password support. The reason > I don't like captcha is that I want to let power users to use browser's > password remembering feature, and most of them hate having to type again > some silly word drawed on some silly image. And I also don't want to annoy > non-power users, but still protect them. > > :-) > > -----Original Message----- > From: Maarten Bosteels [mailto:[EMAIL PROTECTED] > Sent: Friday, December 05, 2008 3:37 PM > To: users@wicket.apache.org > Subject: Re: Thread.sleep() for only one session > > > If you're trying to defend against a brute-force password guessing attack, > you could add a captcha to your logon form after x failed login attempts > from one IP address. > > Maarten > > On Fri, Dec 5, 2008 at 5:20 PM, Jeremy Thomerson > <[EMAIL PROTECTED]>wrote: > > > You definitely do NOT want to intentionally sleep a thread - that halts > the > > request, and uses up your thread pool. You instead want the request to > > complete, but you don't want to allow them to continue trying. So, that > > being said, you could: > > > > 1 - add a value to their session like "private long > blockedFromSignInUntil" > > and when they've exceeded your threshold, set that for ten minutes > future. > > This isn't bulletproof since they could start a new session by using a > new > > window / browser / blowing away cookies. > > 2 - if it's on a per-username (rather than a per-session) basis, add a > > similar value to the user - not allowed signin until.... This is > probably > > better anyway, because if I'm "nefarious guy" and I'm trying to sign in > to > > "mr nice guy" account, you lock "mr nice guy" account because you are in > > fact detecting an identity theft attempt. > > 3 - you could do a combo of the above so that I, "nefarious guy" when I > get > > blocked from "mr nice guy" account, can't move on to "mr unsuspecting" > > account. > > > > Then, just have your sign in form be aware of that value in session or > user > > and not allow a sign in to that account or from that session until the > > timeout is expired. > > > > But as a general rule of thumb, never use Thread.sleep in a web app - > > especially somewhere in the request cycle. It'll be shooting yourself in > > the foot. > > > > Hope this helps, > > > > -- > > Jeremy Thomerson > > http://www.wickettraining.com > > > > > > On Fri, Dec 5, 2008 at 9:46 AM, Anton Veretennikov < > > [EMAIL PROTECTED]> wrote: > > > > > Hello all Wicket users. > > > > > > One more question today. > > > I need to implement appearence of sleep if "user" (session, IP > > > address) tries incorrect login many times. > > > Thread.sleep() seems to stop all sessions at once. Any ideas? > > > > > > Thank you! > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > *************************************************************************************************** > "Atenção: Esta mensagem foi enviada para uso exclusivo do(s) > destinatários(s) acima identificado(s), > podendo conter informações e/ou documentos confidencias/privilegiados e seu > sigilo é protegido por > lei. Caso você tenha recebido por engano, por favor, informe o remetente e > apague-a de seu sistema. > Notificamos que é proibido por lei a sua retenção, disseminação, > distribuição, cópia ou uso sem > expressa autorização do remetente. Opiniões pessoais do remetente não > refletem, necessariamente, > o ponto de vista da CETIP, o qual é divulgado somente por pessoas > autorizadas." > > > "Warning: This message was sent for exclusive use of the addressees above > identified, possibly > containing information and or privileged/confidential documents whose > content is protected by law. > In case you have mistakenly received it, please notify the sender and > delete it from your system. > Be noticed that the law forbids the retention, dissemination, distribution, > copy or use without > express authorization from the sender. Personal opinions of the sender do > not necessarily reflect > CETIP's point of view, which is only divulged by authorized personnel." > > *************************************************************************************************** > *************************************************************************************************** "Atenção: Esta mensagem foi enviada para uso exclusivo do(s) destinatários(s) acima identificado(s), podendo conter informações e/ou documentos confidencias/privilegiados e seu sigilo é protegido por lei. Caso você tenha recebido por engano, por favor, informe o remetente e apague-a de seu sistema. Notificamos que é proibido por lei a sua retenção, disseminação, distribuição, cópia ou uso sem expressa autorização do remetente. Opiniões pessoais do remetente não refletem, necessariamente, o ponto de vista da CETIP, o qual é divulgado somente por pessoas autorizadas." "Warning: This message was sent for exclusive use of the addressees above identified, possibly containing information and or privileged/confidential documents whose content is protected by law. In case you have mistakenly received it, please notify the sender and delete it from your system. Be noticed that the law forbids the retention, dissemination, distribution, copy or use without express authorization from the sender. Personal opinions of the sender do not necessarily reflect CETIP's point of view, which is only divulged by authorized personnel." *************************************************************************************************** --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
