Labels
Milestone
No Milestone
Assignee
No assignee
2 Participants
Loading...
There is no content yet.
because of our web app need JavaScript (at least after login it must be enabled) so I recommend to add more smart bot traps!
Add a time limit on server side for retries. For example add (2^[retry_time]) seconds sleep before returning response. this will increase time complexity of a bot
Nobody does not use saved login for retry (when password is incorrect). so we can use a script to calculate average typing speed. (but may be somebody send a random value on this field to crash server)
I recommend first method
We must use a collection of Captcha alternative methods to make sure there is not any problem. most of low level crackers will read source of page before sending posts or make their bots so using a honeypot or a simple javascript that post something can not be so effective.
I see that you have studied too much DS :D
That honeypot just traps random bots, not others. There are bots around the net which when they see a form which is similar to login forms, they just fill it with many common values(admin/admin, admin/1234, test/test, ...) so this simple honeypot will catch so many random bots if you run the application on port 80(the standard port).
About your recommendations, the first one sounds like a good idea but I have added a rate limit which blocks any IP with too many validation attempts for a short but long time(short for humans, long for bots) and this limit makes implementing your idea give us almost nothing.
Of course, unless your idea replace my idea which I have implemented in the back-end.
BTW, I have removed the captcha if you are not aware.
May I close this?
Reopen if I hadn't to close this.