|
|
|
|
|
|
by JimDabell
898 days ago
|
|
|
IP and cookie-based rate-limiting are trivially bypassed. In fact, any kind of rate-limiting is ineffective here, especially for smaller organisations, because you only need to generate a small fraction of the traffic they normally send out. If they separate transactional mail from other types of mail (something that is frequently recommended), then how many illegitimate password reset emails do you think an attacker needs to trigger to get to, say, a 5% failure rate? Smaller organisations don’t send out an awful lot of transactional email. |
|
|
Together with cookies, you can show the captcha only to visitors that are not already recognized in some way, giving them a limited number of actions before showing the captcha. And regardless of whether you want one on your password reset page, you almost certainly want one on your login page anyway.