Preventing dictionary attacks on a web application
Posted
by Kevin Pang
on Stack Overflow
See other posts from Stack Overflow
or by Kevin Pang
Published on 2010-05-07T06:28:12Z
Indexed on
2010/05/07
6:38 UTC
Read the original article
Hit count: 213
security
What's the best way to prevent a dictionary attack? I've thought up several implementations but they all seem to have some flaw in them:
- Lock out a user after X failed login attempts. Problem: easy to turn into a denial of service attack, locking out many users in a short amount of time.
- Incrementally increase response time per failed login attempt on a username. Problem: dictionary attacks might use the same password but different usernames.
- Incrementally increase response time per failed login attempt from an IP address. Problem: easy to get around by spoofing IP address.
- Incrementally increase response time per failed login attempt within a session. Problem: easy to get around by creating a dictionary attack that fires up a new session on each attempt.
© Stack Overflow or respective owner