Menu
I have set up my db to log every failed login attempt. I thought I would multiply the number of failed attempts with 0.05 seconds or something. Something like:
time_nanosleep(0, (50000000 * $failed_attempts ) );
More attempts a hacker uses to guess a password, more time does it take to check every time. After checking a 100 passords he must wait 5 sec between each try.
Is this a good way to stop bruteforcing? I identify the users by IP. So I guess you can bruteforce the application by using multiple proxy servers or something, but besides that, I think is a good idea. What do you guys think?
551
The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator.
The biggest advantages of brute force attacks is that they are relatively simple to perform and, given enough time and the lack of a mitigation strategy for the target, they always work. Every password-based system and encryption key out there can be cracked using a brute force attack.
The best plan for detecting a brute force attack is to have a monitoring system like Sumologic that can monitor login attempts and alert you when certain thresholds are exceeded. You could: Monitor for unusually high numbers of login attempts coming from a single IP address.
A brute force attack is a popular cracking method: by some accounts, brute force attacks accounted for five percent of confirmed security breaches. A brute force attack involves 'guessing' username and passwords to gain unauthorized access to a system. Brute force is a simple attack method and has a high success rate.
What about something like:
time_nanosleep(0, (10000000000 * (log($failed_attempts)^10)) );
This will give you an exponentially increasing attempt window.
153
The first issue I see is that you are dealing with a bot that doesn't care if there is a delay between responses. Unless you do something to limit this you are using up system resources with potentially very long delays. Just ban the IP after 5 failed attempts. It can be a temporary ban if you are worried about banning a real user.
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
