As a response to the recent Twitter hijackings and Jeff's post on Dictionary Attacks, what is the best way to secure your website against brute force login attacks?
Jeff's post suggests putting in an increasing delay for each attempted login, and a suggestion in the comments is to add a captcha after the 2nd failed attempt.
Both these seem like good ideas, but how do you know what "attempt number" it is? You can't rely on a session ID (because an attacker could change it each time) or an IP address (better, but vulnerable to botnets). Simply logging it against the username could, using the delay method, lock out a legitimate user (or at least make the login process very slow for them).
Thoughts? Suggestions?
What is the simplest way to stop brute-force cyberattacks dead in their tracks? C. Add a few unique characters to any password or PIN.
Locking Accounts The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator.
High encryption rates: to make it harder for brute force attacks to succeed, system administrators should ensure that passwords for their systems are encrypted with the highest encryption rates possible, such as 256-bit encryption.
I think database-persisted short lockout period for the given account (1-5 minutes) is the only way to handle this. Each userid
in your database contains a timeOfLastFailedLogin
and numberOfFailedAttempts
. When numbeOfFailedAttempts > X
you lockout for some minutes.
This means you're locking the userid
in question for some time, but not permanently. It also means you're updating the database for each login attempt (unless it is locked, of course), which may be causing other problems.
There is at least one whole country is NAT'ed in asia, so IP's cannot be used for anything.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With