Menu
I want all the login attempts to my web application to take no less than 1 second, to make brute force attack less feasible. If I just put something like this in my code:
Thread.Sleep(1000)
I expect that I become susceptible to a very simple ddos attack: just launch several dozen login requests to the site, and thread pool starvation will happen. (I don't believe that Thread.Sleep returns thread to the thread pool, does it?)
What is the correct way to implement this feature?
880
What you could do instead of sleeping the thread (you're right to be concerned about starvation) is to have a sliding window based upon unsuccessful login attempts for a given username. You could store this in the in-memory cache and ignore login attempts for that username if the sliding window has not yet elapsed.
There's a decent blog post on one possible implementation of this here:
Brute Force Protect Your Website
133
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
