I want to implement an efficient mechanism to throttle login attemps in my Java web application, to prevent brute-force attacks on user accounts.
Jeff explained the why, but not the how.
Simon Willison showed an implementation in Python for Django: That doesn't really help me along as I can't use memcached nor Django.
Porting his ideas from scratch doesn't seem like a great either - I don't want to reinvent the wheel.
I found one Java implementation, though it seems rather naiive: Instead of a LRU cache, it just clears all entries after 15 minutes.
EHCache could be an alternative for memcached, but I don't have any experience with it and don't really want to intoduce yet another technology if there are better alternatives for this task.
So, whats a good way to implement login throttling in Java?
I think even EHCache is killing a fly with a napalm bomb. The problem is simple and so is the implementation.
I suggest using a servlet filter a the top level so that as little processing as possible is done.
Create a class to store the following:
Now, the code is simple in a sunchronized block:
if userid not in attemptMap:
attemptMap.add ( userid, new attemptItem ( userid, 1, now ) )
else
tmp = attemptMap.get ( userid )
if (acquire lock for tmp) :
if tmp.time + 30 > now :
tmp.count = 0
tmp.time = now
tmp.count++
if tmp.count > 3 :
error=true
release lock for tmp
else : error=true
thats it man (as long as the code is synchronized).
I've just completed the web security course run by aspect security and one of the suggestions that came out of that was to just include a natural delay in any login attempt - the theory being that a 1 or 2 second delay is nothing to a real-user but will seriously hamper brute force attacks.
One that hasn't been mentioned is make them answer forgotten password question(s) after so many bad attempts + enter their password
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With