The only effective way to do this type of attack, guessing common passwords against multiple accounts, is in some automated fashion. In which case, anti-CSRF tokens on login via a pre-session prevent that behavior.
Also, I don't think CSRF tokens should be the only solution to this issue. What if we're building a RESTful HTTPS API and not a website? Then aren't the CSRF tokens useless?
CSRF will prevent malicious actions like trying to log into someone else's account. A bot could still script it's way into creating an account on your website by taking valid, automated actions. You could do something like Google captcha, but that's such an annoying user experience. Requiring users to confirm account creation via email link is a decent way to stop most bots.
Yes, CSRF is not valid if there is no browser involved, as it abuses default browser behavior. Some out-of-band authentication method, like verifying your account creation via email, can help prevent spamming. It doesn't block those attempts, however. Just presents them from working.
Also, 2FA is the best way to stop bots IMO. Works as an additional layer of defense against someone malicious trying to log into a user's account as well.
The only effective way to do this type of attack, guessing common passwords against multiple accounts, is in some automated fashion. In which case, anti-CSRF tokens on login via a pre-session prevent that behavior.
Nice, so would having CSRF tokens prevent automated registration and bot spam too?
Also, I don't think CSRF tokens should be the only solution to this issue. What if we're building a RESTful HTTPS API and not a website? Then aren't the CSRF tokens useless?
CSRF will prevent malicious actions like trying to log into someone else's account. A bot could still script it's way into creating an account on your website by taking valid, automated actions. You could do something like Google captcha, but that's such an annoying user experience. Requiring users to confirm account creation via email link is a decent way to stop most bots.
Yes, CSRF is not valid if there is no browser involved, as it abuses default browser behavior. Some out-of-band authentication method, like verifying your account creation via email, can help prevent spamming. It doesn't block those attempts, however. Just presents them from working.
Also, 2FA is the best way to stop bots IMO. Works as an additional layer of defense against someone malicious trying to log into a user's account as well.
If CSRF token could prevent automated logins, wouldn't it also protect against automated registering?