Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the best method to prevent a brute force attack?

Tags:

php

brute-force

I have my login page and of course I want to prevent brute force attacks and cause less delay for the users when they are logging in.

Currently, you type in your username and password to log in.

I am considering implementing a reCAPTCHA. However, this shows on login after 3 failed attempts.

My question is:

  1. What do you base the attempt on. IP addresses? It can always be hidden... username? What if they're trying a user that doesn't exist?

  2. What would be the best method to count the failed login attempts?

like image 867
lecardo Avatar asked Apr 03 '13 21:04

lecardo

People also ask

What are the best defenses against a brute force logic attack?

The best defense against password attacks is ensuring that your passwords are as strong as they can be. Brute force attacks rely on time to crack your password. So, your goal is to make sure your password slows down these attacks as much as possible, because if it takes too long for the breach to be worthwhile…

1 Answers

Sessions are unreliable because they rely on cookies, CAPTCHAs are regularly broken [including ReCAPTCHA]. The only reliable method is deceptively simple: ask a question. Don't use a math question because computers are surprisingly adept at solving those for some reason. Great old standbys are things like:

  • What is the fourth word in the sixth paragraph on this page?
  • What is the name of the author of this site? [hint]

This is stupid-easy to implement, and very difficult for a machine to solve.

As for bute-forcing, try adding two fields to your user table, 'first_failed_login' [INTEGER unix timestamp or DATETIME] and 'failed_login_count'. [INTEGER]

<?php $bad_login_limit = 3; $lockout_time = 600;  $first_failed_login, failed_login_count; // retrieve from DB  if(     ($failed_login_count >= $bad_login_limit)     &&     (time() - $first_failed_login < $lockout_time) ) {   echo "You are currently locked out.";   exit; // or return, or whatever. } else if( /* login is invalid */ ) {   if( time() - $first_failed_login > $lockout_time ) {     // first unsuccessful login since $lockout_time on the last one expired     $first_failed_login = time(); // commit to DB     $failed_login_count = 1; // commit to db   } else {     $failed_login_count++; // commit to db.   }   exit; // or return, or whatever. } else {   // user is not currently locked out, and the login is valid.   // do stuff }

This will make your login system recognize only 3 login attempts per user every 10 minutes.

like image 72
Sammitch Avatar answered Oct 12 '22 10:10

Sammitch
Sign in to Comment

Related questions

build a plugin system with php
Reaching 100% Code Coverage with PHPUnit
How to find which PHP script is leaking memory?
Sending HTML Code Through JSON
Creating a base test-class for PHPUnit and extending it for common functionality results in class not found error
When to use static modifier in PHP
Can you Create your Own Hook in Drupal?
Why are PHP errors printed twice?
Unit test for mocking a method called by new class object
Calling a PHP function defined in another namespace without the prefix
Creating a threaded private messaging system like facebook and gmail
exit(); die(); return false; [duplicate]
Use bootstrap with composer
How do I include a php.ini file in another php.ini file?
which is better one big query or multiple small query? [closed]
Exotic names for methods, constants, variables and fields - Bug or Feature?
How to remove the first element of array without changing its key value? [duplicate]
Laravel :: Best way to update a foreign key
php file_put_contents function not working
Loading Vendor Files in CakePHP 2.0

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!