Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Preventing Brute Force Logins on Websites

Tags:

security

login

brute-force

As a response to the recent Twitter hijackings and Jeff's post on Dictionary Attacks, what is the best way to secure your website against brute force login attacks?

Jeff's post suggests putting in an increasing delay for each attempted login, and a suggestion in the comments is to add a captcha after the 2nd failed attempt.

Both these seem like good ideas, but how do you know what "attempt number" it is? You can't rely on a session ID (because an attacker could change it each time) or an IP address (better, but vulnerable to botnets). Simply logging it against the username could, using the delay method, lock out a legitimate user (or at least make the login process very slow for them).

Thoughts? Suggestions?

like image 235
Greg Avatar asked Jan 08 '09 13:01

Greg

People also ask

What is the simplest way to stop brute force cyberattacks?

What is the simplest way to stop brute-force cyberattacks dead in their tracks? C. Add a few unique characters to any password or PIN.

Which of the following is the best defense against a brute force attack?

Locking Accounts The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator.

What password requirement will have the highest impact in preventing brute force attacks?

High encryption rates: to make it harder for brute force attacks to succeed, system administrators should ensure that passwords for their systems are encrypted with the highest encryption rates possible, such as 256-bit encryption.

1 Answers

I think database-persisted short lockout period for the given account (1-5 minutes) is the only way to handle this. Each userid in your database contains a timeOfLastFailedLogin and numberOfFailedAttempts. When numbeOfFailedAttempts > X you lockout for some minutes.

This means you're locking the userid in question for some time, but not permanently. It also means you're updating the database for each login attempt (unless it is locked, of course), which may be causing other problems.

There is at least one whole country is NAT'ed in asia, so IP's cannot be used for anything.

like image 200
krosenvold Avatar answered Sep 17 '22 23:09

krosenvold
Sign in to Comment

Related questions

Laravel: What is "remember_token" in the "users" DB table?
How do I log in to AWS Console with an IAM user account?
In .NET/C# test if process has administrative privileges
Why is Chrome reporting a secure / non secure warning when no other browsers aren't?
Are secret URLs truly secure?
Google Chrome weird cursor blink on pages, never seen 'em before
Simple caret (^) at end of Windows batch file consumes all memory
Is it safe to use $.support.cors = true; in jQuery?
Secure cookies and mixed https/http site usage
How to pin the Public key of a certificate on iOS
Storing Documents as Blobs in a Database - Any disadvantages?
Can a username and password be sent safely over HTTPS via URL parameters?
Mysqldump launched by cron and password security
Create an ActiveRecord database table with no :id column?
Why restrict the length of a password?
Why is it good save to save sessions in the database?
Permission denied at hdfs
How can I safely set the user principal in a custom WebAPI HttpMessageHandler?
How safe are PHP session variables?
What common web exploits should I know about? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!