Re: little request :)

From: Date: Fri, 07 Feb 2014 07:41:32 +0000
Subject: Re: little request :)
References: 1 2 3 4 5 6 7 8 9  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
> If your site is vulnerable to a 'timed attack' then something else
> is wrong? 

It's a valid point: a site that locks out accounts after just a few
failures is not vulnerable to an attack that requires a considerable
volume of trials against the same account.

However, even though account lockout policies are common on internal
networks (where intruders may be physically tracked) not everyone with
a public website can be so punitive. You are basically publishing a
DoS recipe if your site works this way. In addition, accounts that are
whitelisted from being locked out (if any) are usually the most
sensitive ones.

Yet I acknowledge that some high-profile web apps (LogMeIn comes to
mind) do have quick lockout policies. Nevertheless, you should not use
rapid account lockouts to combat timing attacks if other measures
exist. Security measures should not be so interlocked or accidental.

-- Sandy





Thread (42 messages)

« previous php.internals (#72369) next »