WARNING: This page is archived and not updated. Please bear in mind any information may be incorrect and any code may not work. Use at your own risk.
James Gardner: Home > Blog > 2006 > Preventing Password Attacks

Preventing Password Attacks

Posted:2006-07-26 11:42
Tags:OpenID, Python

I was reading .net magazine today (which has an excellent article about Jon Hicks' new redesign by the way) and they have an excellent comment about preventing randomly generated password attacks; simply add a sleep(3) command after each failed attempt so that the hacker has to wait 3 seconds before trying again. Update: The downside of this is that it would be easy to launch a denial of service attack which quickly exhausts any thread pool.

Of course they might just make lots of separate connections to the site so each connection can be trying a different password whilst the others are waiting but this too can be prevented if your authorisation supports account locking for a few seconds so that all attempts have to wait. Expect to see this new feature added to Pylons AuthKit soon.

(view source)

James Gardner: Home > Blog > 2006 > Preventing Password Attacks