this post was submitted on 22 Jan 2024
602 points (97.8% liked)

Technology

59133 readers
2630 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

I just got the email from haveibeenpwned. F Trello.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 4 points 9 months ago* (last edited 9 months ago) (1 children)

It may be reasonable to block all logins for a time if they detect an attack like this

That would be a P1 incident and probably violate SLAs depending on the duration.

[โ€“] [email protected] 7 points 9 months ago

Inserting a literally meaningless delay like 5 seconds is sufficient to make your service virtually impenetrable to mass bruteforce/stuffing attacks. Credential stuffing become untenable when your trying to stuff 1million creds with a 5 second cooldown. Most normal users who would hit it would just think their wifi or cell service hicupped.