Is it possible to use Laravel's Authenticating A User With Conditions to prevent brute-force attacks?
This answer for PHP, suggests adding two columns to your database (TimeOfLastFailedLogin
and NumberOfFailedAttempts
) and then checking against those values on each login attempt.
Here is the Laravel syntax to authenticate a user with conditions:
if (Auth::attempt(array('email' => $email, 'password' => $password, 'active' => 1)))
{
// The user is active, not suspended, and exists.
}
Is there any way to use the condition parameters to check number of attempts against a specified period of time? E.g., less than 3 requests in the last 60 seconds.
Brute force attacks are entirely preventable. You can keep brute force attacks at bay and drastically improve your data security by having a strong password policy, limiting login attempts, enabling two-factor authentication, using CAPTCHAs, and blocking malicious IP addresses.
Laravel is a popular development platform that is well known for its performance and the active user community. Out of the box, Laravel is pretty secure – but, of course, no framework could claim to be 100% secure.
Multi-factor authentication (MFA) Multi-factor authentication offers a better way to secure the login process. By requiring users to submit more than one authentication factor before gaining access, it mitigates the inherent risks of using a single password and is an effective defense against automated attacks.
The best defense against password attacks is ensuring that your passwords are as strong as they can be. Brute force attacks rely on time to crack your password. So, your goal is to make sure your password slows down these attacks as much as possible, because if it takes too long for the breach to be worthwhile…
You can create something as simple as the class below to help you prevent that:
class Login {
public function attempt($credentials)
{
if ( ! $user = User::where('email' => $credentials['email'])->first())
{
//throw new Exception user not found
}
$user->login_attempts++;
if ($user->login_attempts > 2)
{
if (Carbon::now()->diffInSeconds($user->last_login_attempt) < 60)
{
//trow new Exception to wait a while
}
$user->login_attempts = 0;
}
if ( ! Auth::attempt($credentials))
{
$user->last_login_attempt = Carbon::now();
$user->save();
//trow new Exception wrong password
}
$user->login_attempts = 0;
$user->save();
return true;
}
}
Or you can go with a package, like Sentry, which controls throttling for you. Sentry is open source.
I know this is an old question, but as it ranks well on Google I would like to clarify that the trait ThrottlesLogins has been around since Laravel 5.1, and does prevent from brute force attacks.
It is included in Auth\LoginController per default through the trait AuthenticatesUser.
Docs: https://laravel.com/docs/5.6/authentication#login-throttling
Example of default behaviour (see method "login"): https://github.com/laravel/framework/blob/5.6/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php
So if you are using the default loginController that comes with Laravel, then the handling of login throtteling will be done automatically.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With