undefined | Better HN

0 pointsmike_hearn1y ago0 comments

Not easily: if it's enforced client side it may as well not exist, if it's enforced server side you just let anyone lock anyone else out of their account by running a constant brute force attack against their account (a DoS vuln). It also does nothing for attackers who try a giant list of accounts but only one or two passwords for each.

I worked on Google's system for solving this. It's a pretty sophisticated analysis that decides whether to demand CAPTCHAs or not based on a lot of factors. The CAPTCHA was needed (at that time) because it's the only way to slow down the attacker without bothering the real user, who won't be shown one.

0 comments

LightHugger1y ago

Serverside of course, but i would think the loading bar can be per connection rather than be per account right? Like a connection is attempted, starting the loading bar, and then 5s later you only allow that connection to continue the load? I do non-web dev stuff so maybe i'm missing something but it sounds like should be easy enough.

mike_hearnOP1y ago

What stops you dropping the connection the moment you realize you're being loading barred.

LightHugger1y ago

Presumably the point is that the user (or bot) wants to access the content, a connection would have to complete the load successfully to do what they came for. if they just drop it instantly then that's a bot turned away.

1 more reply

account421y ago

> without bothering the real user, who won't be shown one.

bullshit

mike_hearnOP1y ago

Lots of signals used to prevent people seeing captchas when their passwords were being attacked, but you never see it so never think about it.

j / k navigate · click thread line to collapse