issue with anything that requires a username/password? If my pair is
"jim/jim1" it'll be easy to crack, but even "jim/!iz+$8,9#qlww" is going
to be considerably harder to muscle.
What about disabling access from account "jim" if I fail to provide a
valid login within 5 tries or so?
- Jim
Michael Dinowitz wrote:
> It looks to me like there's a problem with web services, specifically
> the ones
> that allow logins. Basically, a username/password is sent to the
> service and it
> responds with data if the person is a valid user. What stops someone
> from using
> the web service again and again to test a un/pw until they get the
> right one?
> Maybe the answer is obvious and I don't see it.
>
> checking amount of attempts per IP - ip can be forged
> checking amount of attempts per UN - scheduled attempt or multiple UN
> tries
> hidden communications key in stream - can be 'seen' (combined with SSL
> might
> work)
> --
> Michael Dinowitz
> Finding technical solutions to the problems you didn't know you had yet
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
