gmail security is a joke
Justin M. Streiner
streiner at cluebyfour.org
Fri May 29 16:32:34 UTC 2015
On Thu, 28 May 2015, Rich Kulawiec wrote:
> I think this (Bill's) is a very good practice. It's not that difficult
> to enumerate the name of every pro sports team in the US, the 100 most
> popular dog names, the 200 most common street names, etc. This attack
> can be mitigated by limiting attempts...but of course if that's done,
> then it's possible for an attacker to lock out the real owner by just
> hammering away constantly using assorted botnet hosts.
There are providers (banks, etc) who will disable an online account that
has had X failed login attempts. While that's good for preventing
$bad_guy from continuing to try to brute-force-guess the password, it
creates a nominal DoS condition for the legitimate owner who then has to
contact the provider and go through their password reset procedure.
In most of the cases I've seen, the provider is not well equipped to block
login attempts for $legit_user from whatever address range is doing the
brute-forcing (possibly spoofed / botted anyway).
More information about the NANOG