I\'ve seen the following login rate limiting approach used on a web site I worke

Question

I've seen the following login rate limiting approach used on a web site I worked on, but I can't figure out if it's a good idea:

After any failed login attempt, the site locks the user account for a fraction of a second. When the account is locked, any login attempts will fail, even attempts with correct credentials. The user is not told that their account is locked, only that their login failed.

The idea is that real users will generally take longer than the lockout time to re-enter their credentials (and will probably re-enter them more slowly the third time if they accidentally trigger the lockout). Meanwhile, hackers brute-forcing passwords would trip the lockout with high-volume login attempts.

What are the problems with this approach?

Explanation / Answer

No, there is absolutely no security related reason to continue to support TLS 1.0, but there are several other business concerns which can twist the arm of a system engineer into allowing it. For larger sites, they may be trying not to leave people with older browsers out in the cold. For some situations, the person publishing the website needs to assume you are using I.E 6 with no updates.

It sounds ridiculous, and it is, but it's a fact of life.

That said, if the server doesn't support anything above TLS 1.0, that's a problem no matter how you slice it. You should e-mail them about it. Or, if it's not fixed, stop using the site.

Sometimes it only takes one angry e-mail to set things right.

Edit: I shall emphasize that supporting a legacy operating system or software stack is no excuse for exposing your users to encryption with major known faults.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.