[clug] looking for webmail with catcha
Francis Markham
fmarkham at gmail.com
Tue May 26 09:45:53 GMT 2009
Firstly, captchas are annoying and detrimental to accessibility.
However, they do stop spambots (at least until they break your captcha
or pay/trick some humans into solving them).
Other possible solutions include:
* "I think an arguably better plan is to have something like 3 strikes
and you're out. Even if it just locks out for 15 minutes you're
making it a lot harder to guess passwords.".
The problem with this is that people can deny service to a particular
user by simply attempting to log in with incorrect credentials. This
is particularly bad for a webmail system as user names are often
public knowledge.
* "You should be able to have something look through the logs and block any IP
that locks out more than one account."
Unfortunately, one IP does not equal one user. If you assume they do
you will get false positives in the form of people sharing IP
addresses (i.e. at corporations or universities) blocking each other
and false negatives, in the case of when a botnet is try to spam you.
Thus, a captcha system starts to look attractive again. Its problems
can be worked around (until it is broken, that is) to an extent. You
can do what gmail does and only display a captcha after three failed
log in attempts. You can also try the audio captcha or simple logical
question and answer approaches for accessibility. And to improve the
effectiveness of these measures you should implement rate-limiting.
Instead of a "three strikes and your out" system, you can have a
timeout of 1 second before the second log in attempt, 2 seconds before
the second, 4 seconds before the third, 8 seconds before the forth
with a ceiling you think is an appropriate trade off (1 minute?).
Even though this approach isn't perfect or determined-intruder-proof,
it should give reasonable results with a minimum of annoyance for your
users.
-Francis
2009/5/26 David Schoen <neerolyte at gmail.com>
>
> I think an arguably better plan is to have something like 3 strikes and
> you're out. Even if it just locks out for 15 minutes you're making it a lot
> harder to guess passwords.
>
> You should be able to have something look through the logs and block any IP
> that locks out more than one account.
>
> Also, In most systems you can enforce rules like minimum length. Minimum
> required numbers/symbols/uppercase.
>
> As far as I'm aware captchas were only ever designed for stopping people
> from self serve signing up to accounts and some similar activities, but even
> that is basically failing these days.
>
> - Dave
>
> 2009/5/26 jm <jeffm at ghostgun.com>
>
> > Anti-login robots. Users choose poor passwords and it's not within my power
> > to have them "educated." This leaves us vulnerable to simple dictionary
> > attacks. At least a human attacker may tire and go else where. I am open to
> > better ideas.
> >
> > Jeff.
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
More information about the linux
mailing list