Quote:
Originally Posted by bubbsy
I thought that in this day and age, all password authentication on the web has some sort of a lockout mechanism after X tries that keeps you from logging in for a period of time or after an added layer of authentication...
|
Hahahahaha!!
But yeah you don't even need to do that, just make it take 500ms to try a password. User doesn't care, trying a million dictionary words all of a sudden takes a really really long time. And have monitoring to alert ops of inordinate retries.
Quote:
Originally Posted by bubbsy
although not sure a "captcha" would be sufficient if this was an automated tool attack.
|
Yeah captchas can help but even many of those are broken (i.e. machine readable).
Even two factor authentication I've read doesn't apply to backups and photostreams on iCloud.
Security is hard.