Time delay for passwords

I read an article regarding password security - here is the link if anyone is interested - The Usability of Passwords - Baekdal Plus - and it suggests that adding a short time delay ( 5 seconds) between sign-ins as an effective method of preventing automated hacking scripts.

A couple of questions I have is:

  1. How does one include a time delay for a password protected page?

  2. Would time delay help with preventing form spam attacks?

Bryan


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

On Apr 29, 2011, at 2:33 PM, Bryan Irvine wrote:

I read an article regarding password security - here is the link if
anyone is interested - http://www.baekdal.com/tips/password-security-usability

  • and it suggests that adding a short time delay ( 5 seconds)
    between sign-ins as an effective method of preventing automated
    hacking scripts.

A couple of questions I have is:

  1. How does one include a time delay for a password protected page?

You’d want to do this on the form handler, and there’s no one good way
to do this. If your attacker is sophisticated, he or she will use a
“botnet army” of non-connected workers, and one or another of that
swarm will get in unless the passwords are really good.

If you wanted to delay the reply from the handler script, you could
just put sleep(5); somewhere near the top, and all requests would
take 5 seconds plus whatever actual processing time the server really
needs to complete. Of course, this also burdens your real users a bit,
too.

You could also keep a running log of each login, including the IP
address (although thats easily spoofed) and the time, and if the same
IP requests again in some timeframe, you could make them wait 10, 20
seconds before answering…

  1. Would time delay help with preventing form spam attacks?

Probably not, because a devoted spammer will use automated tools –
fire and forget – to send zillions of requests to your server without
waiting to see if the last one succeeded.

Sorry.

Walter


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Sounds like it’s not worth the trouble.

Thanks,

Bryan


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options