Show Posts
2041
Bug Reports / Re: any captcha is valid?
« on: November 09, 2013, 07:18:35 am »WTF so all of our accounts can easily be brute forced right now. every vender could easily be robed
This would only be possible if there are not any other rate limiting factors that protect the login system. Lets hope that's not the case
I PM'd the relevant threads regarding this issue to DPR.
Artist
And it would be only possible if you didn't activate PGP verification.
And it would be only possible if there were any btc on the accounts which are not until now.
And "easily" bruteforced is another point to argue about
There have already been numerous noted problems with the PGP verification. Additionally, I would not put too much faith in it after seeing this issue concerning the CAPTCHAS.
I did not say anything about your second point, that was the user I quoted. However, whether or not there are coins in the account has nothing to with the possibility of accounts being brute forced. If you are talking about them being robbed in that instance, cracked passwords could be stored until market operations commence etc.
Your third point looks like it is attempting to say something clever but it is not really saying anything at all. Assuming the PGP verification works and there are no other rate limiting factors, it would be childsplay ("easy") to write a script to bruteforce the login. Whether or not it would be worthwhile or easy due to password complexity of the users here is another story.
Artist
EDIT: Spelling, spacing, signature,
Unless there is not a pretty standard anti-brute forcing measure in place where the login is disabled for X amount of time after X amount of failures, that third point is completely valid. I haven't tested it myself.
.
