I'm totally against captcha. It's annoying for users and just one more obstacle for criminals - they will always find a way to break it. What I really suggest is:
1) use HTTPS (obviously) 2) require your users a strong password 3) if your user tries login in more than X times, disable his/her account and redirect them to some "Forgot your password?" page. And they will have to answer some question related to their profile to get an email with a link to reset their password. This is how I usually code websites with user/password support. The reason I don't like captcha is that I want to let power users to use browser's password remembering feature, and most of them hate having to type again some silly word drawed on some silly image. And I also don't want to annoy non-power users, but still protect them. :-) -----Original Message----- From: Maarten Bosteels [mailto:[EMAIL PROTECTED] Sent: Friday, December 05, 2008 3:37 PM To: users@wicket.apache.org Subject: Re: Thread.sleep() for only one session If you're trying to defend against a brute-force password guessing attack, you could add a captcha to your logon form after x failed login attempts from one IP address. Maarten On Fri, Dec 5, 2008 at 5:20 PM, Jeremy Thomerson <[EMAIL PROTECTED]>wrote: > You definitely do NOT want to intentionally sleep a thread - that halts the > request, and uses up your thread pool. You instead want the request to > complete, but you don't want to allow them to continue trying. So, that > being said, you could: > > 1 - add a value to their session like "private long blockedFromSignInUntil" > and when they've exceeded your threshold, set that for ten minutes future. > This isn't bulletproof since they could start a new session by using a new > window / browser / blowing away cookies. > 2 - if it's on a per-username (rather than a per-session) basis, add a > similar value to the user - not allowed signin until.... This is probably > better anyway, because if I'm "nefarious guy" and I'm trying to sign in to > "mr nice guy" account, you lock "mr nice guy" account because you are in > fact detecting an identity theft attempt. > 3 - you could do a combo of the above so that I, "nefarious guy" when I get > blocked from "mr nice guy" account, can't move on to "mr unsuspecting" > account. > > Then, just have your sign in form be aware of that value in session or user > and not allow a sign in to that account or from that session until the > timeout is expired. > > But as a general rule of thumb, never use Thread.sleep in a web app - > especially somewhere in the request cycle. It'll be shooting yourself in > the foot. > > Hope this helps, > > -- > Jeremy Thomerson > http://www.wickettraining.com > > > On Fri, Dec 5, 2008 at 9:46 AM, Anton Veretennikov < > [EMAIL PROTECTED]> wrote: > > > Hello all Wicket users. > > > > One more question today. > > I need to implement appearence of sleep if "user" (session, IP > > address) tries incorrect login many times. > > Thread.sleep() seems to stop all sessions at once. Any ideas? > > > > Thank you! > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > *************************************************************************************************** "Atenção: Esta mensagem foi enviada para uso exclusivo do(s) destinatários(s) acima identificado(s), podendo conter informações e/ou documentos confidencias/privilegiados e seu sigilo é protegido por lei. Caso você tenha recebido por engano, por favor, informe o remetente e apague-a de seu sistema. Notificamos que é proibido por lei a sua retenção, disseminação, distribuição, cópia ou uso sem expressa autorização do remetente. Opiniões pessoais do remetente não refletem, necessariamente, o ponto de vista da CETIP, o qual é divulgado somente por pessoas autorizadas." "Warning: This message was sent for exclusive use of the addressees above identified, possibly containing information and or privileged/confidential documents whose content is protected by law. In case you have mistakenly received it, please notify the sender and delete it from your system. Be noticed that the law forbids the retention, dissemination, distribution, copy or use without express authorization from the sender. Personal opinions of the sender do not necessarily reflect CETIP's point of view, which is only divulged by authorized personnel." ***************************************************************************************************