> Uhmmm.. how effective is a brute force attack where you can > only try one > combination per second? It's going to take you a while to get through > that dictionary. How determined are you ;-) Our product has a brute force attacker in it, and for some protocols, we have to wait a few seconds between each attempt b/c otherwise the protocol blocks you as it considers it a DoS. But the results can finish in several days or even weeks. > You can still do this on top of the sleep() method. A one > second wait is > n't going to affect you when you log in to an application. Sure. If you really want to sleep(1); then go nuts. I was only trying to point out that the sleep(1) is not a really viable way to prevent crackers from doing anything really. Just slow them down. > The problem with reacting after three failed logins is that > it can then > be easy to lock other people out of their account. You just have to > figure out their username, which usually isn't that hard. Since IP > addresses can be spoofed or shared among users of certain > ISPs, relying on them isn't adequate, either. Well, you'd only get 3 attempts to guess a username from a given IP. It takes a lot more work to spoof an IP, and coordinate an attack with several computers. And most crackers aren't trying to lock people out of their account, they're trying to gain access themselves. If I wanted to bring down a server, I'd just DoS it, not waste time locking individual users out one at a time. Daevid Vincent Senior Engineer / Architect two.zero.six.two.eight.five.eight.zero.eight.zero _ _ _ | | ___ ___| | ____| | _____ ___ __ | | / _ \ / __| |/ / _` |/ _ \ \ /\ / / '_ \ | |__| (_) | (__| < (_| | (_) \ V V /| | | | |_____\___/ \___|_|\_\__,_|\___/ \_/\_/ |_| |_| x104 Networks.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
