On 2011-08-07 11:26 +0700, michael kapelko wrote: > This paper is reasonable, but what if I just make a limit of invalid > logins? Say, one can only try 5 wrong passwords for a certain login > within an hour. If he fails to enter the correct password for five > times, block login for an hour. That way, the speed of hashing won't > matter, an attacker will have to wait. > If he continues to enter wrong password for like 5 hours, he can be > blocked for a day, and so on. > Won't this help here?
The point is not whether attackers can brute force your accounts via the login page. If they get ahold of your database (e.g., they somehow manage to dump it), they won't be able to brute force the accounts in a reasonable amout of time, thus buying you time to fix security issues and have users reset their password. Another point is you can avoid using the secret because secrets are very fragile. Since the cahce of accounts getting brute-forced is now significantly lower, you can drop secrets and just use salts. -- Branko Vukelic [email protected] [email protected] Lead Developer Herd Hound (tm) - Travel that doesn't bite www.herdhound.com Love coffee? You might love Loveffee, too. loveffee.appspot.com -- You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/webpy?hl=en.
