Reply to post: Re: Isn't that what makes their products so intuitive to use?

Apple, FBI: YES we're, er, looking into the NAKED CELEBRITY PICS. Aren't you?

RIBrsiq

Re: Isn't that what makes their products so intuitive to use?

There's a lot that can be done to make brute-force attacks useless before locking an account. Wait timers are good and simple. A lousy one minute delay between attempts would completely kill a brute force attack, while it would be just an inconvenience to the user. So:

0- Enforce password complexity. Should be simple when you already know everything about your user: "No, you cannot use that password because it was the name of your 3rd grade teacher's pet gerbil"... ;)

1- Start with a one second wait and double it with every failure. Cap at 128 seconds or something, to keep things sane. Else you'll very quickly effectively lock the account.

2- Lock the account only when hundreds of attempts are made in a single day or some such.

The details will vary and some fine-tuning will definitely be required based on the type of data, users, actual usage experience and whatever other attack vectors might exist (brute force attacks vs. denial of service, for example), but you see the basics. Not complex.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019