undefined | Better HN

0 pointsatombender6y ago0 comments

Rate limit by what? IP? Botnet traffic will originate at random IPs.

0 comments

By the account. 3 failed login attempts in a row, and you disallow further logins for 30 seconds.

This should waste less time than reCAPTCHAs. I know it's not 1:1 in terms of pros/cons, but it gets a good subset of the advantages without the key disadvantages mentioned above.

atombenderOP6y ago

First, that's a bit user-hostile (and suddenly a DoS-vector; I can prevent a site's users from logging in by continuously firing bad password attempts).

Secondly, botnets can, and presumably do, randomize which accounts they try, too.

yc123406y ago

So rate-limiting is "user-hostile", but permanently hell-banning someone because their network is considered "seedy" is user-friendly?

Incidentally, you still need rate-limiting if you use Google's CAPTCHA. If you don't rate-limit CAPTCHA endpoint, an attacker can DDoS you (especially if your server-side captcha component uses low-performance single-threaded HTTP client). Furthermore, an attacker within the same AS as their target can purposefully screw over their account by performing attacks on Google's services until the reputation of the network hits rock bottom.

1 more reply

hombre_fatal6y ago

So I can lock you out of your account with 3 attempts from any IP address?

wolco6y ago

For a minute usually. Prevents flooding. Not a bad approach unless the account is constantly hit. In those cases two factor auth makes sense.

1 more reply

LaGrange6y ago

> By the account. 3 failed login attempts in a row, and you disallow further logins for 30 seconds.

...congratulations, I just locked out all of your users. Have a nice day.

Kaiyou6y ago

How did you get the email addresses of all my users, which are used as login name?

1 more reply

j / k navigate · click thread line to collapse

0 comments

basilgohar6y ago

By the account. 3 failed login attempts in a row, and you disallow further logins for 30 seconds.

This should waste less time than reCAPTCHAs. I know it's not 1:1 in terms of pros/cons, but it gets a good subset of the advantages without the key disadvantages mentioned above.

atombenderOP6y ago

First, that's a bit user-hostile (and suddenly a DoS-vector; I can prevent a site's users from logging in by continuously firing bad password attempts).

Secondly, botnets can, and presumably do, randomize which accounts they try, too.

yc123406y ago

So rate-limiting is "user-hostile", but permanently hell-banning someone because their network is considered "seedy" is user-friendly?

1 more reply

hombre_fatal6y ago

So I can lock you out of your account with 3 attempts from any IP address?

wolco6y ago

For a minute usually. Prevents flooding. Not a bad approach unless the account is constantly hit. In those cases two factor auth makes sense.

1 more reply

LaGrange6y ago

> By the account. 3 failed login attempts in a row, and you disallow further logins for 30 seconds.

...congratulations, I just locked out all of your users. Have a nice day.

Kaiyou6y ago

How did you get the email addresses of all my users, which are used as login name?

1 more reply

j / k navigate · click thread line to collapse