6 replies to this topic

[ut_tommy]

Hello,

I'm looking for a good method to limit login attempts on my website. I have discovered the following methods:

• Sessions: Store a login attempt variable in the session array, increment on failed attempt. If greater then threshold, don't display form.
  Problem: Session can be destroyed easily. (closing browser does it, what else destroys them?)
  
  
• Limit attempts by Username: Count the number of failed attempts on a specific username in a given time period. If greater then threshold, lock username.
  Problem: Can block anyone you want if you know their username.
  
  
• Limit attempts by IP: Count the number of failed attempts from an IP in a given time period. If greater then threshold, block ip.
  Problem: Multiple people can have the same ip? (universities?). An attacker could attack through proxies.
  
  
• CAPTCHA: Include a CAPTCHA with the login form.
  Problem: There's a problem? I've seen a few comments here and there about CAPTCHAS not being all that great, but I don't know much about it.
  This seems to be the best idea to me.

What are your opinions? How should I approach this problem?

Thankyou,

Regards,

Tom.

[Alexander]

After five failed attempts, I would block their IP from attempting further logins to the specific user for 10 minutes. This would prevent the real user from being affected by those actions.

If the attacker were persistent, and the user's password was within one of a list of 22000 common passwords:

• They could try five per ten minutes, taking (22000/2-1)/0.5/60/24 = 15 days
  
• They could use 2200 IP addresses simultaneously.
  
• They could use 30 IP addresses, for 720 minutes.

These attempts are generally prohibitive, especially if the specific target is using one that is not on a list. If that is the case, 22000 can go up to (13+9)^8/2-1 assuming lower+numerics, eight characters of length.

CAPTCHA could be good to implement for five-tenth attempt for example, which is more than valid for any owner's attempts before they hit "forgot password?" (which should be visible.)

Quote

(closing browser does it, what else destroys them?

When automating login requests, you can ignore the session identification header each request bypassing it completely unless there is something to require a valid session to log in.

Alexander.

[ut_tommy]

That sounds like a good solution, I'll give it a try. Thanks.

[Vaielab]

CAPTCHA have only one wickness (that I know of). The word aren't infinited, they come back.
So, if a group of hacker, or people who have a lots of time on their hand, would like to make a software that will memorise them all, it would be possible.
But we are talking here about a army of people, so against 99% of the population captcha is a good security.

[WingedPanther]

Another approach you can use is to lock the user's account and send an email to the user with a link (similar to registration link) to unlock the account again. That way, you don't lock out the user, but you effectively stop the attacker from accomplishing anything.

[bbqroast]

Alexander's method looks good but I would lock the account and send a email to the owner after 50 failed logins in a day.

---------- Post added at 09:36 PM ---------- Previous post was at 09:34 PM ----------

Vaielab said:

CAPTCHA have only one wickness (that I know of). The word aren't infinited, they come back.
So, if a group of hacker, or people who have a lots of time on their hand, would like to make a software that will memorise them all, it would be possible.
But we are talking here about a army of people, so against 99% of the population captcha is a good security.

That's still 70,000,000 people. Re-Captcha actually takes words from a library of digital books which is a very good method...

[Vaielab]

If you have a strong enough group of server, you can break throw recaptcha... anonymous did it