in reply to Re: Essential CGI Security Practices
in thread Essential CGI Security Practices
I wouldn't go so far as to say that "Invalid login" fails
to buy any security - it prevents users from
trivially determining whether a username is valid or not,
thus significantly increasing the search space for a
brute-force attack. Not a silver bullet by any means (not
even a very shiny one, really), but still enough to be
significant in many cases.
(Yeah, escalating delays are good, too, but a little trickier to implement in an environment, such as CGI, where you can't reliably maintain state.)
In Section
Meditations