I just got the email from haveibeenpwned. F Trello.

  • sfgifz@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    2
    ·
    edit-2
    10 months ago

    It may be reasonable to block all logins for a time if they detect an attack like this

    That would be a P1 incident and probably violate SLAs depending on the duration.

    • Saik0@lemmy.saik0.com
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      10 months ago

      Inserting a literally meaningless delay like 5 seconds is sufficient to make your service virtually impenetrable to mass bruteforce/stuffing attacks. Credential stuffing become untenable when your trying to stuff 1million creds with a 5 second cooldown. Most normal users who would hit it would just think their wifi or cell service hicupped.