[clug] looking for webmail with catcha

David Schoen neerolyte at gmail.com
Tue May 26 07:28:56 GMT 2009

I think an arguably better plan is to have something like 3 strikes and
you're out. Even if it just locks out for 15 minutes you're making it a lot
harder to guess passwords.

You should be able to have something look through the logs and block any IP
that locks out more than one account.

Also, In most systems you can enforce rules like minimum length. Minimum
required numbers/symbols/uppercase.

As far as I'm aware captchas were only ever designed for stopping people
from self serve signing up to accounts and some similar activities, but even
that is basically failing these days.

- Dave

2009/5/26 jm <jeffm at ghostgun.com>

> Anti-login robots. Users choose poor passwords and it's not within my power
> to have them "educated." This leaves us vulnerable to simple dictionary
> attacks. At least a human attacker may tire and go else where. I am open to
> better ideas.
> Jeff.

More information about the linux mailing list