web development e-mail protection
C开发者_开发问答urrenty, web sites gives generic messages to the users on invalid login attemps such as:
The username or password you entered is not valid
to protect e-mails from spammers. However, I read somewhere that this is not enough because sign up forms will warn user if the e-mail address is already taken. Therefore spammers can find valid e-mails by trying to fill registration forms not login forms.
The question: how can we prevent this? Is there a good way of handling this situation?
One quite nice way to prevent brute forcing is to add an increasing delay before checking.
A fairly good way is to add a 1 second delay before showing the error implying that the email is taken, then double that to 2 seconds, then 4 then 8 etc for the user. You could max this out at 16 seconds, or block the IP for 10 minutes after this for instance.
This way, real users get a 1, 2 or 4 second delay (not much), but bruteforcing becomes too laborious.
精彩评论