From: "Larry Kavounas" <[EMAIL PROTECTED]>
I would like to prevent (if possible) hackers from viewing the source,
finding the INPUT field names, and writing a script that honors me with a
few hundred thousand gratuitous login posts per minute.
Not going to work. In the end, the browser needs to be able to know the
input field names, so it can send a string back to you. So its entirely
possible to get that information by spying on the HTTP traffic going in and
out. Even public key encryption isn't going to help you here, as the
browser needs to decrypt the name and reencrypt to return it, meaning that
at some point the plain text of the name is in RAM.
What you want is basicly security through obscurity. Its not real security,
and while putting it in as an extra level won't hurt, relying on it *will*
bite you on the ass. Worse, it'll bit your customers.
Here's the real answer- log the login attempts to a database with their IP,
account name, and time. If more than X requests come in Y minutes, block
the IP for an hour. If an account Z becomes blocked on more than 1 IP, lock
the account. If an IP becomes blocked N times, block it for a much longer
period. If an account gets login attempts from more than M computers in a
given time period, lock it. Basicly limit the number of times a bad guy can
try to log on, and you don't need to worry about dictionary attacks.
Gabe
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-newbie
