[thelist] Prevent dictionary attacks on passwords

[Bill Moseley]

I have a requirement to relax password validation.  That is, instead
of requiring mixed letters and digits or mixed case, simple allow any
string of chars over some length.

Login is email + password and email addresses would not be that hard
to find (if you know the organization using the application).  So, my
concern is dictionary attacks.

So, one option is to try and track login failures over time and look
for repeated failed logins.

The API for login only returns success or failure, so don't know if a
failed login is due to a wrong password, or due to a wrong email address.
So, unless the login API is changed would need to track failed logins
for logins (email addresses) that do not exist.  I generally do not
like a setup where I have to track any amount of data that gets thrown
at the application.  Potential DoS if not careful.

Any suggestions how you might try and track failed logins and/or
dictionary attacks?

-- 
Bill Moseley
moseley at hank.org