开发者

web development e-mail protection

C开发者_开发问答urrenty, web sites gives generic messages to the users on invalid login attemps such as:

The username or password you entered is not valid

to protect e-mails from spammers. However, I read somewhere that this is not enough because sign up forms will warn user if the e-mail address is already taken. Therefore spammers can find valid e-mails by trying to fill registration forms not login forms.

The question: how can we prevent this? Is there a good way of handling this situation?


One quite nice way to prevent brute forcing is to add an increasing delay before checking.

A fairly good way is to add a 1 second delay before showing the error implying that the email is taken, then double that to 2 seconds, then 4 then 8 etc for the user. You could max this out at 16 seconds, or block the IP for 10 minutes after this for instance.

This way, real users get a 1, 2 or 4 second delay (not much), but bruteforcing becomes too laborious.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜