Y
Hacker News
new
|
ask
|
show
|
jobs
by
C7H8N4O2
2944 days ago
> Rate limiting on a specific username will prevent brute forcing but exposes you to DOS.
Why?
2 comments
bluesroo
2944 days ago
Not the OP, but I think he's referring to the potential for an automated service spamming thousands (or more) accounts enough to lock them.
link
Sohcahtoa82
2944 days ago
You can lock a user out of their account by spamming the server with login attempts.
link
jsmeaton
2944 days ago
Yes. In this case the denial of service is against specific customer accounts for the lockout duration, not against the availability of the site.
link
jessaustin
2944 days ago
This would be bad, but what's the motivation? What fabulous prizes await the DOSer of some random account on your service?
link
jsmeaton
2939 days ago
Locking users out of their accounts isn’t the goal, it’s just an unfortunate side effect.
link