To lock or not to lock? TIP: Do something else first.

If you can't see this article here is the full version.

Since the beginning of the internet we had login forms, accounts and sign ups all around it. Companies that provide a service as cloud storage and file sharing rely on these types login forms to authenticate users into their accounts. One of the most typical attacks against these mechanisms is the brute force attack. Basically an attacker has a list with lots and lots of emails and passwords found on the internet(e.g.:The rockyou password list) from leaks happening every year and combines every single one of them in different sets and try to login into the accounts. With these attacks starting to hit the internet we had to create mechanisms to prevent invasion and information stealing. The most common ones today are either raise a CAPTCHA to prevent automated attempts to login, or a server-side blocking by raising an HTTP 429 — Too many requests or a less common is to lock accounts.

The software contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.

No restriction for password guessing.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store