Do I need to protect login?

Question

I have login page. Do I need to protect it with Captcha or how should I handle it?

For example, if person knows an username, he can use curl or whatever and try to guess passwords many times. It will use many MySQL queries and it will eat my resources.

So, should I use Captcha for login? Or maybe I should store how many times person tried to guess the password with $_SESSION and if he guessed 10 times password wrong, then I would show Captcha? Is it safe to use such a information in $_SESSION? Maybe I should allow person to enter login only every 10 seconds also with $_SESSION? Would it be 100% safe? Or what would you suggest me?

EDIT: Please read my comment under Eljakim's post.

Answer 1

3 things:

1. Use Recaptcha (run by google) More info HERE
2. Do allow only certain number (10) of login attempts per hour from a unique IP address before timing out for say an hour or two.
3. Set a cookie when a successful login happens, and don't show the Captcha if the user has this cookie to not annoy regular visitors.

This will take care of all of the hacking attempts. Based on your traffic and how many hacking attempts you receive, you might want to play with the numbers.

Answer 2

Don't go for the session approach.

A captcha may help, but it will annoy your normal users.

You may wish to keep track in your database of how many invalid logins have been tried from a specific IP-address or a specific username within (say) the last 10 minutes. If it goes over a specific threshold, just block that username or IP-address for a while.

Don't do this in the session! An attacker will probably not send the cookie that supports the session, or can just spoof them.