in reply to Password hacker killer

It's not suitable for all applications, but you can send failed logins to some innocuous page. Apache's ErrorDocument setting in .htaccess can be used for that. You can point that to a perl script which logs whatever you want to see and produces a joke, a stunt, or just something harmless which must be parsed to discover that a guess has failed.

That way you don't need a doomed effort to maintain state, as merlyn explained, in a stateless protocol. All you've done is make guesses more time-consuming and difficult. That's how passwords are supposed to work.

After Compline,
Zaxo

Replies are listed 'Best First'.
Re: Re: Password hacker killer
by sgifford (Prior) on Sep 08, 2003 at 20:57 UTC
    If you make it difficult to discover a guess has failed, but easy to discover it has succeeded, you haven't really gained anything. You'd have to make it hard to tell whether you were logged in succesfully, and I can't help but think that's bad user-interface design...
[reply]

In Section Seekers of Perl Wisdom