[...] Then again, I don’t really see the brute-force issue to begin with. As long as the server implements a delay of say 1 or 0.5 second per login attempt (which is hardly noticable for a legitimate user), that would cause as much as a 7 character password to be quite infeasible to crack. Can anyone enlighten me? Or it a parallel request attack that makes this feasible regardless of the millions of required requests? Or would that cause an effect similar to a DDoS and backfire on the attackers?
Instead of thinking about a distributed dictionary attack against a single user trying many passwords, consider an attack against many users trying few simple passwords. Lots of people out there still use trivial passwords, which is what that kind of attack is targeting.
In the case of a distributed attack against many user accounts, it’s very difficult to track and identify malicious login attempts versus legitimate ones. A delay between login attempts doesn’t help with this style off attack either, sadly.
They are so hard to read it often take four or so attempts to get it right, they dont need to be so hard!
now its great earlier i had to zoom in my screen to read the CAPTCHA
Instead of thinking about a distributed dictionary attack against a single user trying many passwords, consider an attack against many users trying few simple passwords
if there are 10,000 current password guesses getting fired at the server, then the server has to keep those 10,000 requests open while the delay runs. it wouldn’t really achieve anything with the delay other than putting more load on the server.
Ah, those are interesting viewpoints. Didn’t look at it like that. You’re both absolutely right, and luckily using reCaptcha does indeed solve these issues effectively Thanks again for looking after us, devs!
LOL @9GAG post..I like the changes by the way…