Re: gmail security is a joke

[Rich Kulawiec <rsk () gsp org>]

On Fri, May 29, 2015 at 12:32:34PM -0400, Justin M. Streiner wrote:
> There are providers (banks, etc) who will disable an online account that
> has had X failed login attempts.  While that's good for preventing
> $bad_guy from continuing to try to brute-force-guess the password,
> it creates a nominal DoS condition for the legitimate owner who then
> has to contact the provider and go through their password reset
> procedure.

This is why automatic lockout procedures are a problem for some
operations, particularly those which are known to create user account
names based on algorithms like "first initial + last name, truncated to
8 characters".  It's not at all difficult to construct a list of valid
(or probably-valid) usernames at such sites, hit them all repeatedly
from distributed botnets (N-1 times from any one address, where N times
would trigger IP-based blocking methods) and thus effectively DoS a decent
fraction of the users.

---rsk