|
|
|
|
|
|
by DonaldFoss
3478 days ago
|
|
|
Assuming a web page, does the page reload in less than 1 second? On a full sized keyboard, the normal rate is 3.3 key presses per second. On a mobile device, I'm sure an 8 character password will take far more than 1 second. For brute force attack defense, rate limiting a single account globally to 1/sec, i.e. independent of source IP address, should be sufficient and prevent parallel attacks by bots, but this still makes DOS attacks on a particular account easy, but not the entire system except traditional overload. Many API systems work this way and it's proven effective. |
|
|