[180253] in North American Network Operators' Group
Re: gmail security is a joke
daemon@ATHENA.MIT.EDU (Justin M. Streiner)
Fri May 29 12:32:52 2015
X-Original-To: nanog@nanog.org
Date: Fri, 29 May 2015 12:32:34 -0400 (EDT)
From: "Justin M. Streiner" <streiner@cluebyfour.org>
To: nanog@nanog.org
In-Reply-To: <20150528211855.GA21216@gsp.org>
Errors-To: nanog-bounces@nanog.org
On Thu, 28 May 2015, Rich Kulawiec wrote:
> I think this (Bill's) is a very good practice.  It's not that difficult
> to enumerate the name of every pro sports team in the US, the 100 most
> popular dog names, the 200 most common street names, etc.  This attack
> can be mitigated by limiting attempts...but of course if that's done,
> then it's possible for an attacker to lock out the real owner by just
> hammering away constantly using assorted botnet hosts.
There are providers (banks, etc) who will disable an online account that
has had X failed login attempts.  While that's good for preventing 
$bad_guy from continuing to try to brute-force-guess the password, it 
creates a nominal DoS condition for the legitimate owner who then has to 
contact the provider and go through their password reset procedure.
In most of the cases I've seen, the provider is not well equipped to block 
login attempts for $legit_user from whatever address range is doing the 
brute-forcing (possibly spoofed / botted anyway).
jms