If you have been using Twitter for a long enough time, chances are you have been locked out of it at least once. If you haven’t, you’ve probably seen tweets of people who have been temporarily locked out of their Twitter account due to “too many failed login attempts”.
It is not the end of the world, but we humans have become accustomed to having it all and having it now, so annoyance is often our first reaction. For those who are not tech savvy, it may be coupled with apprehension: “Is it something I did?”
There’s an interesting blog post at DevCentral that explains the the whys and wherefores of these occurrences. Basically, if you have been locked out and it didn’t happen because you forgot your password and tried to guess it until the account locked itself down in self defense, you have been targeted by a brute force attack. Luckily for you, it was unsuccessful – this time.
The problem with Twitter is that it can’t distinguish the attempts of the user who has forgotten the password from the high volume of requests with which the brute force attack bombards the authentication “process”. It’s the same problem with any application, not just Twitter. Such an attack attempts to compromise the account at the application layer, where the application can’t be aware of the context of the request – it is only aware of that single one.
A good solution for this problem would be a Web application firewall, because it can “see the big picture”. It sees ALL the connections and requests to the application and detect patterns that indicate that a brute force attack is taking place (for example, an unusually high number of failed login requests or small latency between requests). Consequently, it can take measures to protect the application.
So don’t get mad at Twitter next time you get locked out – it was done for your own good.