Quote:
Originally Posted by Humpy Leftnut
*bookmarks*
1> if you can, use a form based login, not a pop-up password box as is normal
2> add a human sentry to the form, captcha
3> Block IP's of people who try more than 50+ login attempts in a 15 minute period
4> pick usernames for people
5> force long passwords with letters, capital letters and a number. every extra character makes the number of possibilities way more.
|
thats some good advice, altho i must say that altho its harder to crack passwords that use forms logins its still possible. and blocking ip addresses is pointless, any good hacker will be using proxies.
i also think its a bad idea to pick peoples passwords for them, correct me if im wrong but i think ccbill uses computer generated usernames and passwords. and the fact is that if you can get hold of and a ccbill log file (which isnt very difficult from some sites) and decrypt it (which isnt very difficult) you get access not only to all the passwords for that site but to the format that the usernames and passes are in which makes creating a username:password list alot easier.
and on that if you havent already then password protect your log files, cos i know for a fact that their are still sites out their which havent and that is a serious lack in security