This isn’t a particularly exciting change, but one I feel is important to do as Shmeppy moves out of earliest access…
There are a lot of different kinds of cyber attacks out here on the web, and now Shmeppy is more resilient to a couple of them.
If someone has a big list of emails they may want to figure out if any of the users they have emails for are using a shitty password across many platforms. So they could try to login to various platforms using various email + common password pairs and seeing if they get any hits.
Since Shmeppy, previously, didn’t limit how many login attempts you could make, you could try millions of these combinations. This is bad for Shmeppy’s users.
If someone is trying to gain access to Shmeppy accounts, they could also use a method like this. (Shmeppy isn’t a very attractive target though, so this seems like a less-likely attack)
But now Shmeppy limits the number of login attempts that can be made across all computers. Shortly, I will release a follow-up change that limits the number of login attempts that can be made by each IP address (easily circumvented with a botnet, but botnets aren’t the easiest thing to acquire).
Soon I’ll be adding a feature to Shmeppy’s “validate your email” screen that tells the user whether their email has been delivered, or if there was a problem.
Once I do this, an attacker who has a huge list of email addresses could try and figure out which email addresses are real by registering for millions of accounts and seeing whether Shmeppy reports the email as being delivered successfully.
To prevent this attack, Shmeppy now limits how many registrations can happen within a short timespan across all computers, and will soon limit how many registrations can happen from a single IP as well.