HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Simple Strategies to Prevent Login Abuse

AnonymooseAnonymoose ✭✭
edited February 2013 in Feedback

Google security engineer Mike Hearn:

With stolen passwords in hand, attackers attempt to break into accounts across the web and across many different services. We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time. A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct.

If a sign-in is deemed suspicious or risky for some reason — maybe it’s coming from a country oceans away from your last sign-in — we ask some simple questions about your account. For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner. Using security measures like these, we’ve dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011.

http://googleblog.blogspot.com/2013/02/an-update-on-our-war-against-account.html

Comments

  • 422422 Developer MVP

    Interesting thanks

    There was an error rendering this rich post.

Sign In or Register to comment.