I've been researching this for the last 2 days after I implemented my own system for banning too many attempts. But I haven't found the proper answer I am looking for. Which pretty much is, what is the best way to implement this?
Currently I have this implemented through an IP ban, if the same IP consecutively makes a login mistake 10 times, the IP is banned for 30 minutes from being able to sign in, they can browse the website still. However if this occured at a high population area, such as a university campus, wouldn't this effectively block the whole school from signing in?
So is there a better way to do this, that doesn't use IP addresses? I was thinking I could do it with cookies, but the user trying to brute force an account could simply delete their cookies after every 10 attempts.
Repeated attempts to log in can make the situation worse, so we highly recommend waiting at least 30 minutes between attempts if you receive this error. Logging in via the Jagex Launcher should resolve this error. Simply use your existing login credentials to play. Check the Jagex Launcher FAQ for more information.
Sometimes the hacker might think they know your password, or they might develop a script to guess your password. In that case what you need to do is limit the login attempts. Limiting the failed login attempts will lock a user out if they entered the wrong password more than the specified time.
Account lockout policies aim to prevent credential theft, credential stuffing and brute-force methods of guessing username and password combinations, thus preventing user account compromise and network intrusion.
An approach I've followed once is similar to the one I encountered on my bank's e-banking page. It prohibits further logins for an increasing amount of time on a per account basis, say 5 tries, where you wait 10s, 1min, 5 min, 15 min, then 30 min for example. An attacker usually targets a specific account. There should also be a global rule applied per IP address, which locks login after a certain number of tries, which must be more than 5, say 10. Additionally to both rules, you can compare browsers and cookies etc. for increased tolerance.
Create mysql table called "failed_logins" with two fields, a "User" field/foreign key and a "Timestamp" field.
When a user successfully logs in, delete all "failed_logins" rows for that user.
When a user unsuccessfully logs in, create a new row in "failed_logins" for that user with the current timestamp.
On every login attempt for a given user, BEFORE checking to see if password is correct/incorrect:
run a query deleting all "failed_logins" rows older than 15 minutes (for example).
run a query checking the count of rows in failed_logins for the user attempting to login. If >= 5 (for example), kill the login attempt, notifying the user they have been locked out of their account and to try back in a little while.
Result: Users are locked out of their account after 5 failed login attempts within 15 minutes.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With