I just got the email from haveibeenpwned. F Trello.

  • joshhsoj1902@lemmy.ca
    link
    fedilink
    English
    arrow-up
    23
    ·
    11 months ago

    This isn’t completely true, but it is the current standard.

    A website can detect and block many user/password attempts from the same IP and block IPs that are suspicious.

    Websites can detect elivated login fails across many IPs are react accordingly (It may be reasonable to block all logins for a time if they detect an attack like this)

    I’m sure there are other strategies, I don’t know how often they are actually employed, but I wish companies would start taking this sort of attack more seriously (even if it’s not at all hacking)

    • glitch1985@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      11 months ago

      CGNAT would throw a wrench in that when you have thousands of users using mobile data and they appear to be coming from the same ip.

      • Saik0@lemmy.saik0.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        11 months ago

        You look for trends, not raw numbers. If an ip increase 500%in 10 minutes… throttle it a bit… insert wait times. If it’s trust worthy then allow new value to become normal… otherwise keep the ip throttled.

      • frezik@midwest.social
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        11 months ago

        Nooooo, people keep telling me IPv6 will be insecure because of no longer having NAT.

        Mostly people who don’t know what a subnet is, but people.

    • sfgifz@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      11 months ago

      It may be reasonable to block all logins for a time if they detect an attack like this

      That would be a P1 incident and probably violate SLAs depending on the duration.

      • Saik0@lemmy.saik0.com
        link
        fedilink
        English
        arrow-up
        8
        ·
        11 months ago

        Inserting a literally meaningless delay like 5 seconds is sufficient to make your service virtually impenetrable to mass bruteforce/stuffing attacks. Credential stuffing become untenable when your trying to stuff 1million creds with a 5 second cooldown. Most normal users who would hit it would just think their wifi or cell service hicupped.