I just got the email from haveibeenpwned. F Trello.

  • @sfgifz@lemmy.world
    link
    fedilink
    English
    4
    edit-2
    10 months ago

    It may be reasonable to block all logins for a time if they detect an attack like this

    That would be a P1 incident and probably violate SLAs depending on the duration.

    • Saik0
      link
      fedilink
      English
      710 months ago

      Inserting a literally meaningless delay like 5 seconds is sufficient to make your service virtually impenetrable to mass bruteforce/stuffing attacks. Credential stuffing become untenable when your trying to stuff 1million creds with a 5 second cooldown. Most normal users who would hit it would just think their wifi or cell service hicupped.