Isn't this, essentially, the same security weakness that would be an
issue with anything that requires a username/password? If my pair is
"jim/jim1" it'll be easy to crack, but even "jim/!iz+$8,9#qlww" is going
to be considerably harder to muscle.
What about disabling access from account "jim" if I fail to provide a
valid login within 5 tries or so?
- Jim
Michael Dinowitz wrote:
> It looks to me like there's a problem with web services, specifically
> the ones
> that allow logins. Basically, a username/password is sent to the
> service and it
> responds with data if the person is a valid user. What stops someone
> from using
> the web service again and again to test a un/pw until they get the
> right one?
> Maybe the answer is obvious and I don't see it.
>
> checking amount of attempts per IP - ip can be forged
> checking amount of attempts per UN - scheduled attempt or multiple UN
> tries
> hidden communications key in stream - can be 'seen' (combined with SSL
> might
> work)
> --
> Michael Dinowitz
> Finding technical solutions to the problems you didn't know you had yet
>
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
- security flaw in web services Michael Dinowitz
- RE: security flaw in web services Jim Campbell
- RE: security flaw in web services Angel Stewart
- RE: security flaw in web services Nathan Strutz
- Re: security flaw in web services Jochem van Dieten
- Re: security flaw in web services Jochem van Dieten
- Re: security flaw in web services Michael Dinowitz
- Re: security flaw in web services Thomas Chiverton
- RE: security flaw in web services Andy Ousterhout
- Errors in table Design view of Dreamweaver MX 2... Angel Stewart
- RE: Errors in table Design view of Dreamwea... Barney Boisvert
- RE: Errors in table Design view of Drea... Angel Stewart