[EMAIL PROTECTED] (Mark Imbriaco) wrote:
>On Thu, 6 Apr 2000, Gunther Birznieks wrote:
>
>> Vivek,
>>
>> Is it possible that a special auth handler could be written that
>> stores the number of bad authorizations for a userid and the last
>> time of the hit in a DBM file for quick lookup? Then, configure an
>> environment or server variable if the auth screwed up more than 3
>> times within the last hour (or some other prespecified time)?
>>
>> Although HTTP is stateless, the username would at least tend to
>> remain constant in most cases of hacking or user problems I would
>> think.
>
>That opens up a nasty Denial of Service attack though. All I have to
>do is try to log into the "gunther" account three times in rapid
>succession with a bogus password, and WHAM, the real Gunther is locked
>out. Granted, it's possible to work around this, but the best way is
>probably going to be cookie based like Vivek suggested.
I should point out that if someone feels the need to use a 3-strikes system,
then cookies are inherently a bad decision unless you get really fancy.
3-strikes means you don't trust the user and you're trying to prevent attacks
where lots of passwords are tried. And if the user isn't trusted, then you
shouldn't trust the user to send a nice little cookie back every time he/she
tries to log in. It's quite easy to write a LWP script or whatever that tries
to log in using lots of passwords without sending cookies, or that sends bogus
cookies.
One could circumvent this by requiring a cookie (even for the first attempt),
and never sending the same cookie out of your server more than once. Which
means you'd need some kind of counter or something, which means you're using a
database, which means you might as well just use the simple database scheme as
originally suggested.
It's also difficult to implement a lockout time with cookies, because the user
could just quit the browser & relaunch to clear cookies.
------------------- -------------------
Ken Williams Last Bastion of Euclidity
[EMAIL PROTECTED] The Math Forum
