Need someone to lead product management at your software company? I build high-craft software and the teams that build it. I'm looking for my next opportunity. Check out my resume and get in touch.

Adam Kalsey

This is the blog of Adam Kalsey. Unusual depth and complexity. Rich, full body with a hint of nutty earthiness.

Security & Privacy

How Much Security is Needed?

21 Jan 2004

Simon Willison proposes some ideas for securing authentication systems for Web-based applications and brings up a point that I’ve never thought much about. If you have a system that locks out a user after too many incorrect logins, then it becomes easy for a malicious user to deny access to your users by simply attempting to log in as them.

This doesn’t apply only to malicious users, however. Apparently there’s a host of people who think that they registered on eBay using my user name. Several times each month I get a notice from eBay that indicates I’ve asked to change my password. Someone probably can’t remember their account details and tries several username and password combinations, requesting a password reset for each of them.

If banning is a bad idea, then how do you defend against a brute-force dictionary attack on your site? Simon goes on to suggest a series of alternatives, listing the pros and cons of each. One thing that needs to be mentioned, however, is that your security approach should be appropriate for the value of information that is being secured.

A banking site needs a lot more security than a membership-based newsletter site. So locking out the account of a user might be acceptable for your bank, even though it would be silly for securing your vacation photos.

I’d like to see a system that reacts to a hack attack intelligently combining several of Simon’s approaches with some other ideas.

Simon said:

Ban login requests from the attacker’s IP address. This introduces the usual problems with IP banning, namely the risk of banning a whole bunch of people indiscriminately but leaving the attacker free to skip the ban using open web proxies.

You could use temporary banning to make life difficult for the attacker. After 40 consecutive invalid logins on the same user account over a period of time, ban the source IP addresses of the last few attempts for a few minutes. Instead of taking a few hours to break an account, it would then take several days. And the impact to real users would be minimal.

Lock the user’s account and email them a warning of the attack and a special key needed to unlock the account again.

This special key would also be vulnerable to a dictionary attack. You can mitigate this concern by issuing new keys as the attack continues. Each time an account has a certain number of invalid logins, change the key and resend it. It’s hard to brute-force a constantly changing key.

For systems that don’t need a high level of security, instead of creating a special key, you could actually reset the password to a random string and email it to the user. The attacker now has a moving target to crack.

Send an automated alert to a system administrator so they can analyze the situation in real time and take any necessary action. This relies on administrators being available 24/7 - hardly a safe assumption for most systems.

If you’ve slowed down the attacker as noted above, this becomes a viable option.

Other interesting (and perhaps half-baked) options would be:

  • Once you detect an attack, redirect the attacker to a honeypot. Let them bang away at a system that has no correct passwords. Or “authenticate” them into a clone of your system that contains nothing but faked data.
  • Throttle the speed of the whole authentication system during an attack. A fifteen second delay will be hardly noticeable to real users but will slow an attacker down enough that you can take action.
  • After a few incorrect attempts, change the form submittal URL for that user. A real user will be submitting the form as it’s presented to them and would have no idea that it’s going to a different address. An automated attacker would be repeatedly submitting against the original URL, not knowing that the account was no longer allowed to authenticate through that URL.

Recently Written

10 OKR traps and how to avoid them
May 8: I’ve helped lots of teams implement OKRs or fix a broken OKR process. Here are the 10 most common problems I see, and what to do instead.
AI is Smart, But Wisdom Requires Judgement
May 3: AI can process data at lightning speed, but wisdom comes from human judgment—picking the best imperfect option when facts alone don’t point the way.
Decoding Product Leadership Titles
Mar 18: Not all product leadership titles mean what they sound like. ‘Head of Product’ can mean anything from a senior PM to a true VP. Here’s how to tell the difference.
What branding can teach about culture
Jan 8: Culture is your company’s point of view in action—a framework guiding behavior, even in the unknown. You can’t copy it; it must reflect your unique perspective.
Think Systems, not Symptoms
Dec 15: Piecemeal process creation frustrates teams and slows work. Stop patching problems and start solving systems. Adopting a systems thinking approach helps you design processes that are efficient, aligned with goals, and truly add value.
Your Policies Aren’t Your Culture
Dec 13: Policies guide behavior, but culture is the lived norms and values of your team. Policies reflect culture -- they don’t define it. Netflix’s parental leave shift didn’t change its culture of freedom and responsibility. It clarified how to live it.
Lighten Your Process Burden
Dec 7: Everyone hates oppressive processes, but somehow we keep managing to create them.
Product Add-Ons Are An Expansion Myth
Dec 1: Add-ons can enhance your product’s appeal but won’t drive significant market growth. To expand your customer base, focus on developing standalone products.

Older...

What I'm Reading