Submitted via IRC for AndyTheAbsurd
The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by "password spray" attacks.
It seems that the world outside of technologists will never listen to advice regarding strong passwords, not reusing passwords, not writing passwords down, etc. If you're an administrator and have the ability to do so - for the love of Dog, please enable TOTP (https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) or something similar - and remember that SMS is far too easy to spoof to be considered a secure method of delivering one-time passwords."
Source: SC Magazine
(Score: 1, Insightful) by Anonymous Coward on Monday May 13 2019, @05:20AM (2 children)
I don't understand why a bot is allowed to try gazillion passwords anyhow? Put the password engine behind a hardware firewall that throttles attempts, especially failed ones.
(Score: 2) by rob_on_earth on Monday May 13 2019, @12:44PM
that is what I came to say.
Back in 1999 all the websites I was involved with (developing) all had password hammering(brute force) protection as well as SQL injection mitigation (stored procedures).
These sites were for eCommerce not banking and security.
Why have things
(Score: 2) by Pino P on Tuesday May 14 2019, @02:02AM
Probably to reduce how many phone staff a service provider needs to keep standing by 24/7 for password resets should a legitimate user fat-finger his password too many times.