brute force / DoS / Acct Lockout

Posted on 2009-04-16
Last Modified: 2012-05-06
How do you strike a balance in your web apps between protecting yourselves from brute force type attacks by deploying account lockout mechanisms, and your account lockout mechanisms being abused by malicious sources to create a DoS on the user acct logging in? Theres an argument to have account lockout to prevent brute force, but also an argument not to have for critiical apps due to the potential for DoS
Question by:pma111
    LVL 10

    Expert Comment

    What exactly do you mean with balance?

    From the business point of view (CTO)
    From the maintenence point of view (FTEs / ROI)
    From the technical point of view (Code standardization, Complexity)
    Other... .


    LVL 10

    Accepted Solution

    Also, have you ever considered locking out an actual connecting IP instead of an account. Then you might find that IP spoofing can create DoS for potential customers / collegues and the circle is round again.

    Other solutions might be the use of VPN before being able to connect to the application and work from there. Again there might be counters on that. In any account, how 'visible' will your portal be, how interesting will it look for potential hackers, even this question might raise interest on the web...

    many aproaches to different problems will also cause new problems... But what will make the potential attacker pick your neighbour to rob instead of you?
    LVL 3

    Author Comment

    Thanks Chris some good advice there

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Google Autocomplete API 2 66
    utf-8 issues 11 84
    How to convert Access database to a web app? 3 85
    Microsoft Edge 9 69
    Using Quotation Marks in PHP This question ( seems to come up a lot for developers who are new to PHP.  And it got me thinking, "How can we explain the rule…
    Developer tools in browsers have been around for a while, yet they are still heavily underused by developers. Developers still fix html or CSS then refresh page to see effect, or they put alert or debugger in JavaScript and then try again and again …
    Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
    Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now