undefined | Better HN

0 pointsuserbinator6y ago0 comments

So attackers cannot password spray. This is typically after attackers has gotten access to the latest database breach, and are just blindly trying username/password combinations.

A simple ratelimit takes care of that. Plus, it's not like attackers would be easily defeated by a CAPTCHA anyway --- there are services selling batches of valid tokens, likely generated by actual humans or very close emulations thereof, for ReCAPTCHA.

0 comments

DownGoat6y ago

CAPTCHA is not a fool proof, it is just the first layer in of defence in the signup/login form. CAPTCHAS increases the cost of password spraying, attackers can't simply fire up Hydra. They'll need additional tools and services which costs money.

Captcha solving service also has other costs than just the money it costs. It adds time costs and additional resource usage on the machines it is running on. A quick look at a service[1] shows that the average response for a challenge was 40 seconds (this value changed a lot when refreshing the page). The attacker has now gone from the 200ms range per attempt to several seconds, slowing the down a lot. This gives defenders additional time to respond, it is also a useful metric for detecting malicious logins.

[1] https://anti-captcha.com/mainpage

atombender6y ago

Rate limit by what? IP? Botnet traffic will originate at random IPs.

basilgohar6y ago

By the account. 3 failed login attempts in a row, and you disallow further logins for 30 seconds.

This should waste less time than reCAPTCHAs. I know it's not 1:1 in terms of pros/cons, but it gets a good subset of the advantages without the key disadvantages mentioned above.

atombender6y ago

First, that's a bit user-hostile (and suddenly a DoS-vector; I can prevent a site's users from logging in by continuously firing bad password attempts).

Secondly, botnets can, and presumably do, randomize which accounts they try, too.

1 more reply

hombre_fatal6y ago

So I can lock you out of your account with 3 attempts from any IP address?

1 more reply

LaGrange6y ago

> By the account. 3 failed login attempts in a row, and you disallow further logins for 30 seconds.

...congratulations, I just locked out all of your users. Have a nice day.

1 more reply

j / k navigate · click thread line to collapse

0 pointsuserbinator6y ago0 comments

So attackers cannot password spray. This is typically after attackers has gotten access to the latest database breach, and are just blindly trying username/password combinations.

0 comments

DownGoat6y ago

[1] https://anti-captcha.com/mainpage

atombender6y ago

Rate limit by what? IP? Botnet traffic will originate at random IPs.

basilgohar6y ago

By the account. 3 failed login attempts in a row, and you disallow further logins for 30 seconds.

This should waste less time than reCAPTCHAs. I know it's not 1:1 in terms of pros/cons, but it gets a good subset of the advantages without the key disadvantages mentioned above.

atombender6y ago

First, that's a bit user-hostile (and suddenly a DoS-vector; I can prevent a site's users from logging in by continuously firing bad password attempts).

Secondly, botnets can, and presumably do, randomize which accounts they try, too.

1 more reply

hombre_fatal6y ago

So I can lock you out of your account with 3 attempts from any IP address?

1 more reply

LaGrange6y ago

> By the account. 3 failed login attempts in a row, and you disallow further logins for 30 seconds.

...congratulations, I just locked out all of your users. Have a nice day.

1 more reply

j / k navigate · click thread line to collapse