Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 391
  • Last Modified:

brute force / DoS / Acct Lockout

How do you strike a balance in your web apps between protecting yourselves from brute force type attacks by deploying account lockout mechanisms, and your account lockout mechanisms being abused by malicious sources to create a DoS on the user acct logging in? Theres an argument to have account lockout to prevent brute force, but also an argument not to have for critiical apps due to the potential for DoS
  • 2
1 Solution
Chris GralikeSpecialistCommented:
What exactly do you mean with balance?

From the business point of view (CTO)
From the maintenence point of view (FTEs / ROI)
From the technical point of view (Code standardization, Complexity)
Other... .


Chris GralikeSpecialistCommented:
Also, have you ever considered locking out an actual connecting IP instead of an account. Then you might find that IP spoofing can create DoS for potential customers / collegues and the circle is round again.

Other solutions might be the use of VPN before being able to connect to the application and work from there. Again there might be counters on that. In any account, how 'visible' will your portal be, how interesting will it look for potential hackers, even this question might raise interest on the web...

many aproaches to different problems will also cause new problems... But what will make the potential attacker pick your neighbour to rob instead of you?
pma111Author Commented:
Thanks Chris some good advice there

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now