That's what Maarten was suggesting, I believe. I agree that captchas are no fun for your users, but if you don't turn them on all the time, I think they can be useful for blocking brute-force attacks. I would think that even with captcha turned on, if the login fails a number of times more that you should probably just disable the account (as you suggested). Perhaps send them a link via email that says "your account password has been because of too many failed login attempts..."
On Fri, Dec 5, 2008 at 1:00 PM, Bruno Cesar Borges <[EMAIL PROTECTED] > wrote: > Indeed. > > > -----Original Message----- > From: James Carman [mailto:[EMAIL PROTECTED] > Sent: Friday, December 05, 2008 3:52 PM > To: users@wicket.apache.org > Subject: Re: Thread.sleep() for only one session > > > But, if you only show the captcha after so many failed logins, wouldn't > that > be okay? You let them try a few times and if they are still failing, you > initiate the captcha. > > On Fri, Dec 5, 2008 at 12:48 PM, Bruno Cesar Borges < > [EMAIL PROTECTED]> wrote: > > > I'm totally against captcha. It's annoying for users and just one more > > obstacle for criminals - they will always find a way to break it. What I > > really suggest is: > > > > 1) use HTTPS (obviously) > > 2) require your users a strong password > > 3) if your user tries login in more than X times, disable his/her account > > and redirect them to some "Forgot your password?" page. And they will > have > > to answer some question related to their profile to get an email with a > link > > to reset their password. > > > > This is how I usually code websites with user/password support. The > reason > > I don't like captcha is that I want to let power users to use browser's > > password remembering feature, and most of them hate having to type again > > some silly word drawed on some silly image. And I also don't want to > annoy > > non-power users, but still protect them. > > > > :-) > > > > -----Original Message----- > > From: Maarten Bosteels [mailto:[EMAIL PROTECTED] > > Sent: Friday, December 05, 2008 3:37 PM > > To: users@wicket.apache.org > > Subject: Re: Thread.sleep() for only one session > > > > > > If you're trying to defend against a brute-force password guessing > attack, > > you could add a captcha to your logon form after x failed login attempts > > from one IP address. > > > > Maarten > > > > On Fri, Dec 5, 2008 at 5:20 PM, Jeremy Thomerson > > <[EMAIL PROTECTED]>wrote: > > > > > You definitely do NOT want to intentionally sleep a thread - that halts > > the > > > request, and uses up your thread pool. You instead want the request to > > > complete, but you don't want to allow them to continue trying. So, > that > > > being said, you could: > > > > > > 1 - add a value to their session like "private long > > blockedFromSignInUntil" > > > and when they've exceeded your threshold, set that for ten minutes > > future. > > > This isn't bulletproof since they could start a new session by using a > > new > > > window / browser / blowing away cookies. > > > 2 - if it's on a per-username (rather than a per-session) basis, add a > > > similar value to the user - not allowed signin until.... This is > > probably > > > better anyway, because if I'm "nefarious guy" and I'm trying to sign in > > to > > > "mr nice guy" account, you lock "mr nice guy" account because you are > in > > > fact detecting an identity theft attempt. > > > 3 - you could do a combo of the above so that I, "nefarious guy" when I > > get > > > blocked from "mr nice guy" account, can't move on to "mr unsuspecting" > > > account. > > > > > > Then, just have your sign in form be aware of that value in session or > > user > > > and not allow a sign in to that account or from that session until the > > > timeout is expired. > > > > > > But as a general rule of thumb, never use Thread.sleep in a web app - > > > especially somewhere in the request cycle. It'll be shooting yourself > in > > > the foot. > > > > > > Hope this helps, > > > > > > -- > > > Jeremy Thomerson > > > http://www.wickettraining.com > > > > > > > > > On Fri, Dec 5, 2008 at 9:46 AM, Anton Veretennikov < > > > [EMAIL PROTECTED]> wrote: > > > > > > > Hello all Wicket users. > > > > > > > > One more question today. > > > > I need to implement appearence of sleep if "user" (session, IP > > > > address) tries incorrect login many times. > > > > Thread.sleep() seems to stop all sessions at once. Any ideas? > > > > > > > > Thank you! > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > *************************************************************************************************** > > "Atenção: Esta mensagem foi enviada para uso exclusivo do(s) > > destinatários(s) acima identificado(s), > > podendo conter informações e/ou documentos confidencias/privilegiados e > seu > > sigilo é protegido por > > lei. Caso você tenha recebido por engano, por favor, informe o remetente > e > > apague-a de seu sistema. > > Notificamos que é proibido por lei a sua retenção, disseminação, > > distribuição, cópia ou uso sem > > expressa autorização do remetente. Opiniões pessoais do remetente não > > refletem, necessariamente, > > o ponto de vista da CETIP, o qual é divulgado somente por pessoas > > autorizadas." > > > > > > "Warning: This message was sent for exclusive use of the addressees above > > identified, possibly > > containing information and or privileged/confidential documents whose > > content is protected by law. > > In case you have mistakenly received it, please notify the sender and > > delete it from your system. > > Be noticed that the law forbids the retention, dissemination, > distribution, > > copy or use without > > express authorization from the sender. Personal opinions of the sender do > > not necessarily reflect > > CETIP's point of view, which is only divulged by authorized personnel." > > > > > *************************************************************************************************** > > > > *************************************************************************************************** > "Atenção: Esta mensagem foi enviada para uso exclusivo do(s) > destinatários(s) acima identificado(s), > podendo conter informações e/ou documentos confidencias/privilegiados e seu > sigilo é protegido por > lei. Caso você tenha recebido por engano, por favor, informe o remetente e > apague-a de seu sistema. > Notificamos que é proibido por lei a sua retenção, disseminação, > distribuição, cópia ou uso sem > expressa autorização do remetente. Opiniões pessoais do remetente não > refletem, necessariamente, > o ponto de vista da CETIP, o qual é divulgado somente por pessoas > autorizadas." > > > "Warning: This message was sent for exclusive use of the addressees above > identified, possibly > containing information and or privileged/confidential documents whose > content is protected by law. > In case you have mistakenly received it, please notify the sender and > delete it from your system. > Be noticed that the law forbids the retention, dissemination, distribution, > copy or use without > express authorization from the sender. Personal opinions of the sender do > not necessarily reflect > CETIP's point of view, which is only divulged by authorized personnel." > > *************************************************************************************************** > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
