Then you could display the captcha after the account lock on normal accounts, and for every attempt on administrative accounts.kaisellgren wrote:Not exactly my point. I'm receiving from 200 to 300 attempts for usernames "admin" and "kaisellgren" in one of my websites everyday. So, I would be typing CAPTCHAs for each login procedure.superdezign wrote:Well, if you can't remember your password after 2 unsuccessful tries, you should be requesting "Reset Password" soon anyway.
How (un)secure do you consider passwords
Moderator: General Moderators
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: How (un)secure do you consider passwords
Re: How (un)secure do you consider passwords
That doesn't sound as a bad thing, you get to get warned that the attack is going on (if you don't have other warning measures, that is)kaisellgren wrote:Not exactly my point. I'm receiving from 200 to 300 attempts for usernames "admin" and "kaisellgren" in one of my websites everyday. So, I would be typing CAPTCHAs for each login procedure.superdezign wrote:Well, if you can't remember your password after 2 unsuccessful tries, you should be requesting "Reset Password" soon anyway.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: How (un)secure do you consider passwords
I could use CAPTCHA on administrative accounts by default, but the strength of my login credentials is enough for my purpose and the same applies to all administrators. It's a question about usability and security. If someone wants to brute force our login system, he would need so much time that the sun will explode before he succeeds unless he is very very lucky. It would be wiser to find another way to get in.superdezign wrote:Then you could display the captcha after the account lock on normal accounts, and for every attempt on administrative accounts.
True, although I prefer keep responsibilities where they belong meaning that CAPTCHAs would distinguish between humans and bots and let my system, which told me about "suspicious activity", to alert me.Mordred wrote:That doesn't sound as a bad thing, you get to get warned that the attack is going on (if you don't have other warning measures, that is)
Re: How (un)secure do you consider passwords
I take it this method you use, blocks the account after so many failed attempts? If so, bring on the mass user-account blocking. Probably equally as annoying as having the actual account breached. You shouldn't fix failed attempts to a users account.arjan.top wrote:not per ip, per username, you add a counter to the user table, every unsuccessful attempt would increment the count, count would be set to 0 when captcha is solved
Re: How (un)secure do you consider passwords
nothing is blocked, user just has to solve the captcha the next time she logs in
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: How (un)secure do you consider passwords
I've also seen companies use blocks successfully. Their "CAPTCHA" is a phone call. 