I've seen this on many web sites, and I implent it into one of mine. Say you have it set up so if a user fails a login 5 times, they must wait 15 minutes to try again.
Perfect.
But, what if some script kiddy decides to run a script after he's gathered hundreds of login usernames. Effectively disabling the login for hundreds of members at a time?
I don't see how something like that can be avoided.. unless you make sure the form came from your domain.. and even then, that's not unstoppable for an attack like this to happen.
login timeout after failed attempts
Moderator: General Moderators
login timeout after failed attempts
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
even if there were one-time tokens
what's to stop... say.. a top frame submitting javascript to a bottom frame that contains my actual login page. The javascript sends a predefined username and a random password, then submits the bottom frames form.
This scenario would be using my actual form (and the token generated) to submit the form.
what's to stop... say.. a top frame submitting javascript to a bottom frame that contains my actual login page. The javascript sends a predefined username and a random password, then submits the bottom frames form.
This scenario would be using my actual form (and the token generated) to submit the form.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
It's only a temporary lock. You could always log the IP addresses along with failed logins.scottayy wrote:even if there were one-time tokens
what's to stop... say.. a top frame submitting javascript to a bottom frame that contains my actual login page. The javascript sends a predefined username and a random password, then submits the bottom frames form.
This scenario would be using my actual form (and the token generated) to submit the form.
So, that's the only con I can think of to using this type of system.
In general terms, are you for or against login locking after X fails in X tries?
In general terms, are you for or against login locking after X fails in X tries?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.