See "Part VII" of this SO answer from Jeff Atwood describing mitigation techniqu... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		evanspa on Nov 20, 2013 \| parent \| context \| favorite \| on: Weak passwords brute forced See "Part VII" of this SO answer from Jeff Atwood describing mitigation techniques for "distributed brute force attacks" http://stackoverflow.com/questions/549/the-definitive-guide-... TL;DR - compute the average number of system-wide failed password attempts, and if it's over the norm, impose small delay on all users (except those that login via a persistent login cookie).

jakobe on Nov 20, 2013 | [–]

Actually, this answer isn't by Jeff Atwood. See http://meta.stackoverflow.com/questions/95172/old-problemati...

evanspa on Nov 20, 2013 | | [–]

Ah - my mistake. Thank you for clarifying.

ohwp on Nov 20, 2013 | | [–]

Note that this can be very tricky. You don't want to keep connections open or waiting.

rurounijones on Nov 20, 2013 | [–]

Very useful, thanks!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact