Reply to post: Re: It only makes it easier to crack...

'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows


Re: It only makes it easier to crack...

I don't think it necessarily implies the storing of failed logins.

One possible compromise would be that if the login is not successful, just delay the rejection response for a period of time, for example, 10 seconds. There's nothing stored, the entity attempting to login wouldn't attempt another. For this to work though a successful login response time may have to be randomized so that the bot doesn't immediately know after 2 seconds that its guess wasn't correct. On the plus side, radomized response times might help load balancing.

I have to admit, I'm not sure how websites handle simultaneous attempts at logging in with the same username - if it's allowed as multiple sessions or if there's a check to see if the user is already logged in. I suspect that this is implementation dependent as I've seen different behaviours from different sites.

Well, I'm sure nothing will come of the suggestion anyways, as with most security, it requires additional work (and money) which we all know businesses don't deem necessary. Not to mention the endless bitching from endusers that will result when it takes an additional second or two to login..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019