Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preventing Brute-Force Attacks When Authenticating A User in Laravel

Is it possible to use Laravel's Authenticating A User With Conditions to prevent brute-force attacks?

This answer for PHP, suggests adding two columns to your database (TimeOfLastFailedLogin and NumberOfFailedAttempts) and then checking against those values on each login attempt.

Here is the Laravel syntax to authenticate a user with conditions:

if (Auth::attempt(array('email' => $email, 'password' => $password, 'active' => 1)))
{
    // The user is active, not suspended, and exists.
}

Is there any way to use the condition parameters to check number of attempts against a specified period of time? E.g., less than 3 requests in the last 60 seconds.

like image 639
Justin Avatar asked Sep 24 '14 20:09

Justin


People also ask

How might brute force attacks be prevented?

Brute force attacks are entirely preventable. You can keep brute force attacks at bay and drastically improve your data security by having a strong password policy, limiting login attempts, enabling two-factor authentication, using CAPTCHAs, and blocking malicious IP addresses.

Is laravel authentication secure?

Laravel is a popular development platform that is well known for its performance and the active user community. Out of the box, Laravel is pretty secure – but, of course, no framework could claim to be 100% secure.

How does two-factor authentication prevent brute force attacks?

Multi-factor authentication (MFA) Multi-factor authentication offers a better way to secure the login process. By requiring users to submit more than one authentication factor before gaining access, it mitigates the inherent risks of using a single password and is an effective defense against automated attacks.

What are the Defences against brute force login attack?

The best defense against password attacks is ensuring that your passwords are as strong as they can be. Brute force attacks rely on time to crack your password. So, your goal is to make sure your password slows down these attacks as much as possible, because if it takes too long for the breach to be worthwhile…


2 Answers

You can create something as simple as the class below to help you prevent that:

class Login {

    public function attempt($credentials)
    {
        if ( ! $user = User::where('email' => $credentials['email'])->first())
        {
            //throw new Exception user not found
        }

        $user->login_attempts++;

        if ($user->login_attempts > 2)
        {
            if (Carbon::now()->diffInSeconds($user->last_login_attempt) < 60)
            {
                //trow new Exception to wait a while
            }

            $user->login_attempts = 0;
        }

        if ( ! Auth::attempt($credentials))
        {
            $user->last_login_attempt = Carbon::now();

            $user->save();

            //trow new Exception wrong password
        }

        $user->login_attempts = 0;

        $user->save();

        return true;
    }

}

Or you can go with a package, like Sentry, which controls throttling for you. Sentry is open source.

like image 114
Antonio Carlos Ribeiro Avatar answered Sep 21 '22 12:09

Antonio Carlos Ribeiro


I know this is an old question, but as it ranks well on Google I would like to clarify that the trait ThrottlesLogins has been around since Laravel 5.1, and does prevent from brute force attacks.

It is included in Auth\LoginController per default through the trait AuthenticatesUser.

Docs: https://laravel.com/docs/5.6/authentication#login-throttling

Example of default behaviour (see method "login"): https://github.com/laravel/framework/blob/5.6/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php

So if you are using the default loginController that comes with Laravel, then the handling of login throtteling will be done automatically.

like image 40
thephper Avatar answered Sep 18 '22 12:09

thephper