Preventing Password Attacks
| Posted: | 2006-07-26 11:42 |
|---|---|
| Tags: | OpenID, Python |
I was reading .net magazine today (which has an excellent article about Jon Hicks' new redesign by the way) and they have an excellent comment about preventing randomly generated password attacks; simply add a sleep(3) command after each failed attempt so that the hacker has to wait 3 seconds before trying again. Update: The downside of this is that it would be easy to launch a denial of service attack which quickly exhausts any thread pool.
Of course they might just make lots of separate connections to the site so each connection can be trying a different password whilst the others are waiting but this too can be prevented if your authorisation supports account locking for a few seconds so that all attempts have to wait. Expect to see this new feature added to Pylons AuthKit soon.