Nice little ‘too many login attempts’ move by Facebook
Posted by Ahmed as Management, Sweet 2.0 at 1:17 PM EST 01/02/2008A common attack method of gaining access to a login is to brute force attack. That means on a login page, you enter a username, and then put in a random password. If it fails, you repeat. And repeat. Ad nauseum. If the user uses a simple password (eg ‘food’ or ‘password’), after enough attempts you will eventually guess the right password.
So to stop such behavior, software like vBulletin gives you five tries to get it right. If you fail, you get locked out.
Facebook extended it intelligently - if you fail enough times (I think I failed six times), it doesn’t just lock you out - it also redirects you to the password reset feature. Fill that out, and voila! You are back into business.
A nice little touch since vBulletin (and similar) lock you out for 15 minutes, regardless of you trying to reset your password.
Just a nice UI touch to have.
Categories
Latest Entries
Blogroll
© Copyright 2004 - BloggyNetwork A design creation of: Design Disease
2 Responses to: Nice little ‘too many login attempts’ move by Facebook
Dave (lurker)
February 1st, 2008 at 1:44 pm
1
Although I always liked the security aspects of a lockout feature, it can also be used as a denial of service weapon. Imagine a bot repeatedly going through a list of users, trying passwords until locked out, then moving to the next user. Pretty soon, everyone is locked out, including the admin!
James Simmons (newbie)
March 3rd, 2008 at 9:22 am
2
Good point Dave.
Of course, attempting to brute force the password would also possibly result in a DoS event (although of another nature).
RSS feed for comments on this post· TrackBack URI
Leave a reply