Quote:
Originally posted by beemk
i just thought of something. when you submit to al4a and they have the picture of the generated number and you have to type that in for verification.... what if someone was to make a password script where you have to type in the generated # along with your user and pass. wouldnt that get rid of the password crackers?
|
That could be bruteforced just as well. The best thing (and what i do) is to install software that monitors the incoming http requests and if too many requests are made in $x amount of seconds then the ip gets firewalled out. The other thing is to monitor your access logs and have software that watches for simultaneous access from different IP's with the same username and then kills that account or notifies you by email or mobile text message.
Also most account bruteforcing software isnt able to work with forms so stop using http authentication and switch to a cgi based form authentication.