Page 2 of 2
Re: How (un)secure do you consider passwords
Posted: Tue Sep 15, 2009 7:31 am
by superdezign
kaisellgren wrote:superdezign wrote:Well, if you can't remember your password after 2 unsuccessful tries, you should be requesting "Reset Password" soon anyway.
Not exactly my point. I'm receiving from 200 to 300 attempts for usernames "admin" and "kaisellgren" in one of my websites everyday. So, I would be typing CAPTCHAs for each login procedure.
Then you could display the captcha after the account lock on normal accounts, and for every attempt on administrative accounts.
Re: How (un)secure do you consider passwords
Posted: Tue Sep 15, 2009 10:11 am
by Mordred
kaisellgren wrote:superdezign wrote:Well, if you can't remember your password after 2 unsuccessful tries, you should be requesting "Reset Password" soon anyway.
Not exactly my point. I'm receiving from 200 to 300 attempts for usernames "admin" and "kaisellgren" in one of my websites everyday. So, I would be typing CAPTCHAs for each login procedure.
That doesn't sound as a bad thing, you get to get warned that the attack is going on (if you don't have other warning measures, that is)
Re: How (un)secure do you consider passwords
Posted: Tue Sep 15, 2009 1:10 pm
by kaisellgren
superdezign wrote:Then you could display the captcha after the account lock on normal accounts, and for every attempt on administrative accounts.
I could use CAPTCHA on administrative accounts by default, but the strength of my login credentials is enough for my purpose and the same applies to all administrators. It's a question about usability and security. If someone wants to brute force our login system, he would need so much time that the sun will explode before he succeeds unless he is very very lucky. It would be wiser to find another way to get in.
Mordred wrote:That doesn't sound as a bad thing, you get to get warned that the attack is going on (if you don't have other warning measures, that is)
True, although I prefer keep responsibilities where they belong meaning that CAPTCHAs would distinguish between humans and bots and let my system, which told me about "suspicious activity", to alert me.
Re: How (un)secure do you consider passwords
Posted: Tue Sep 15, 2009 2:14 pm
by AlexC
arjan.top wrote:not per ip, per username, you add a counter to the user table, every unsuccessful attempt would increment the count, count would be set to 0 when captcha is solved
I take it this method you use, blocks the account after so many failed attempts? If so, bring on the mass user-account blocking. Probably equally as annoying as having the actual account breached. You shouldn't fix failed attempts to a users account.
Re: How (un)secure do you consider passwords
Posted: Tue Sep 15, 2009 3:07 pm
by arjan.top
nothing is blocked, user just has to solve the captcha the next time she logs in
Re: How (un)secure do you consider passwords
Posted: Wed Sep 16, 2009 7:34 am
by superdezign
I've also seen companies use blocks successfully. Their "CAPTCHA" is a phone call.
