Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

PHP Security - Limit Login Attempts

login

  • Please log in to reply
6 replies to this topic

#1 ut_tommy

ut_tommy

    CC Lurker

  • Just Joined
  • Pip
  • 2 posts

Posted 27 November 2011 - 09:14 PM

Hello,

I'm looking for a good method to limit login attempts on my website. I have discovered the following methods:

  • Sessions: Store a login attempt variable in the session array, increment on failed attempt. If greater then threshold, don't display form.
    Problem: Session can be destroyed easily. (closing browser does it, what else destroys them?)
  • Limit attempts by Username: Count the number of failed attempts on a specific username in a given time period. If greater then threshold, lock username.
    Problem: Can block anyone you want if you know their username.
  • Limit attempts by IP: Count the number of failed attempts from an IP in a given time period. If greater then threshold, block ip.
    Problem: Multiple people can have the same ip? (universities?). An attacker could attack through proxies.
  • CAPTCHA: Include a CAPTCHA with the login form.
    Problem: There's a problem? I've seen a few comments here and there about CAPTCHAS not being all that great, but I don't know much about it.
    This seems to be the best idea to me.

What are your opinions? How should I approach this problem?

Thankyou,

Regards,

Tom.
  • 0

#2 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 27 November 2011 - 10:49 PM

After five failed attempts, I would block their IP from attempting further logins to the specific user for 10 minutes. This would prevent the real user from being affected by those actions.

If the attacker were persistent, and the user's password was within one of a list of 22000 common passwords:
  • They could try five per ten minutes, taking (22000/2-1)/0.5/60/24 = 15 days
  • They could use 2200 IP addresses simultaneously.
  • They could use 30 IP addresses, for 720 minutes.
These attempts are generally prohibitive, especially if the specific target is using one that is not on a list. If that is the case, 22000 can go up to (13+9)^8/2-1 assuming lower+numerics, eight characters of length.

CAPTCHA could be good to implement for five-tenth attempt for example, which is more than valid for any owner's attempts before they hit "forgot password?" (which should be visible.)

(closing browser does it, what else destroys them?

When automating login requests, you can ignore the session identification header each request bypassing it completely unless there is something to require a valid session to log in.

Alexander.
  • 0

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#3 ut_tommy

ut_tommy

    CC Lurker

  • Just Joined
  • Pip
  • 2 posts

Posted 27 November 2011 - 11:56 PM

That sounds like a good solution, I'll give it a try. Thanks.
  • 0

#4 Vaielab

Vaielab

    Programming God

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1382 posts
  • Location:Quebec City
  • Programming Language:Java, C++, C#, PHP, JavaScript, Visual Basic .NET, Transact-SQL, ActionScript

Posted 28 November 2011 - 05:06 AM

CAPTCHA have only one wickness (that I know of). The word aren't infinited, they come back.
So, if a group of hacker, or people who have a lots of time on their hand, would like to make a software that will memorise them all, it would be possible.
But we are talking here about a army of people, so against 99% of the population captcha is a good security.
  • 0

#5 WingedPanther73

WingedPanther73

    A spammer's worst nightmare

  • Moderator
  • 17757 posts
  • Location:Upstate, South Carolina
  • Programming Language:C, C++, PL/SQL, Delphi/Object Pascal, Pascal, Transact-SQL, Others
  • Learning:Java, C#, PHP, JavaScript, Lisp, Fortran, Haskell, Others

Posted 28 November 2011 - 03:10 PM

Another approach you can use is to lock the user's account and send an email to the user with a link (similar to registration link) to unlock the account again. That way, you don't lock out the user, but you effectively stop the attacker from accomplishing anything.
  • 0

Programming is a branch of mathematics.
My CodeCall Blog | My Personal Blog

My MineCraft server site: http://banishedwings.enjin.com/


#6 bbqroast

bbqroast

    Codecall Addict

  • Senior Member
  • PipPipPipPipPipPip
  • 564 posts
  • Location:/etc/passwd

Posted 07 December 2011 - 01:36 PM

Alexander's method looks good but I would lock the account and send a email to the owner after 50 failed logins in a day.

---------- Post added at 09:36 PM ---------- Previous post was at 09:34 PM ----------

CAPTCHA have only one wickness (that I know of). The word aren't infinited, they come back.
So, if a group of hacker, or people who have a lots of time on their hand, would like to make a software that will memorise them all, it would be possible.
But we are talking here about a army of people, so against 99% of the population captcha is a good security.

That's still 70,000,000 people. Re-Captcha actually takes words from a library of digital books which is a very good method...
  • 0
Please, write clearly with proper structure. Double spacing makes the text feel un-jointed, Capitalizing Every Word Means People Stop Before Every Word Sub-Consciously Which Is A Pain In The Backside, and use code tags! (The right most styling box).

#7 Vaielab

Vaielab

    Programming God

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1382 posts
  • Location:Quebec City
  • Programming Language:Java, C++, C#, PHP, JavaScript, Visual Basic .NET, Transact-SQL, ActionScript

Posted 07 December 2011 - 02:43 PM

If you have a strong enough group of server, you can break throw recaptcha... anonymous did it
  • 0





Also tagged with one or more of these keywords: login

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download