
Ask HN: What to do when a botnet is requesting password resets? - Fabricio20
Hey there HN, I&#x27;m currently having an issue on one of my accounts where, what seems like a botnet, is constantly sending password reset requests on it. This has been going for more than a week now.<p>I have contacted the service in particular (part of GAFAM) and their account security department told me there is nothing that can be done in this case and I should just disregard the emails.<p>I now ask you, HN, what can _we_ as developers, do to prevent this from happening on our services? Limit the amount of password reset requests for an account? (still doesn&#x27;t solve the issue), etc.. As I, genuinely, have not managed to come up with a solution.
======
some_furry
Adding a rate limit to the number of password reset emails in a given day or
hour is trivial.

    
    
        SELECT count(*) FROM account_reset_tokens WHERE accountid = ? AND (NOW() - created) < '1 hour'::interval
        
        if ($count > 3)
          throw new RateLimitException();
    

You could also restrict based on IP, but that doesn't specifically help with
the botnet.

That's what developers can do. What developers should do is consider what
prevents their customer support funnel from getting overloaded.

------
benologist
I think we need to make it more obvious when account-access occurs for users.
If they can see their request logs they can investigate themselves, maybe even
identify the cause or instigator.

I think letting users define restrictions on their accounts would help too,
like a firewall for which countries or cities etc can access their account,
schedules for when signing in can occur or when it is disabled etc. Most
people could just select their city and waking hours.

------
atrilumen
Stop implementing them, and move to key & pin. Use backup keys instead of
resets. Stop depending on email and SMS.

