moderated Limit Number of Unsuccessful Logins #suggestion


 

On Sun, Mar 21, 2021 at 12:16 PM, Glenn Glazer wrote:
we had to implement a randomizer so that the limit is actually some random number between X and Y.
Good idea.
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


Glenn Glazer
 

On 03/21/2021 11:42, J_Catlady wrote:
On Sat, Mar 20, 2021 at 03:19 PM, Mark Fletcher wrote:
We do indeed have a rate limiter on login requests.. I won't say what the current limit is
Mark is an oracle.:) Keep trying until you hit it.
 
--
J

Where I work, "clever" people outside the company wrote a script to determine this value for our login system. So, we had to implement a randomizer so that the limit is actually some random number between X and Y.

Best,

Glenn

--
#calcare
PG&E Delenda Est


 

On Sat, Mar 20, 2021 at 03:19 PM, Mark Fletcher wrote:
We do indeed have a rate limiter on login requests.. I won't say what the current limit is
Mark is an oracle.:) Keep trying until you hit it.
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


 

Hey, I found your book!
https://www.amazon.com/Elementary-Information-Security-Richard-Smith/dp/1284153045?

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


Rick Smith
 

If there’s to be a hard limit on attempts, I’d recommend something between 10 and 20. If it’s lower, it penalizes those who rarely log in but actually try to remember a password for this particular site.

NIST’s latest password recommendation is a bit more sophisticated: no hard limit on attempts, but the account suffers an increasing delay between logins.

FWIW I wrote a book on this 20 years ago, and my cybersecurity textbook is in its 3rd edition. This doesn’t guarantee I’m right, but I’ve dealt with this question a bit.

Rick Smith.


Mike Hanauer
 

So glad to hear there is a limit. Should it be lowered? Since I never reached it, my guess is yes. 

Consider Better, not Bigger. So many advantages. Just ask. USA adds a Chicago to our overpop each year.
"Still more population growth is not our way to a healthy community, a healthy planet, OR enjoyable cycling."

    ~Mike


On Saturday, March 20, 2021, 06:19:45 PM EDT, Mark Fletcher <markf@corp.groups.io> wrote:


On Sat, Mar 20, 2021 at 3:15 PM Mike Hanauer via groups.io <MGHanauer=yahoo.com@groups.io> wrote:
It appears to me that groups.io has no limit on consecutive unsuccessful logins. This leaves the site open to people and bots guessing passwords and, especially then using them on other (often financial) accounts of the user. This is a major web security problem. This can also overwhelm the web servers.

We do indeed have a rate limiter on login requests. I won't say what the current limit is, but perhaps I should lower it.

Mark


 

On Sat, Mar 20, 2021 at 3:15 PM Mike Hanauer via groups.io <MGHanauer=yahoo.com@groups.io> wrote:
It appears to me that groups.io has no limit on consecutive unsuccessful logins. This leaves the site open to people and bots guessing passwords and, especially then using them on other (often financial) accounts of the user. This is a major web security problem. This can also overwhelm the web servers.

We do indeed have a rate limiter on login requests. I won't say what the current limit is, but perhaps I should lower it.

Mark


Mike Hanauer
 

It appears to me that groups.io has no limit on consecutive unsuccessful logins. This leaves the site open to people and bots guessing passwords and, especially then using them on other (often financial) accounts of the user. This is a major web security problem. This can also overwhelm the web servers.

If true, I would suggest a limit of 4 or 5. After that, perhaps validate via an email or some other method.

AllTheBest.