I'm looking for a good method to limit login attempts on my website. I have discovered the following methods:
- Sessions: Store a login attempt variable in the session array, increment on failed attempt. If greater then threshold, don't display form.
Problem: Session can be destroyed easily. (closing browser does it, what else destroys them?)
- Limit attempts by Username: Count the number of failed attempts on a specific username in a given time period. If greater then threshold, lock username.
Problem: Can block anyone you want if you know their username.
- Limit attempts by IP: Count the number of failed attempts from an IP in a given time period. If greater then threshold, block ip.
Problem: Multiple people can have the same ip? (universities?). An attacker could attack through proxies.
- CAPTCHA: Include a CAPTCHA with the login form.
Problem: There's a problem? I've seen a few comments here and there about CAPTCHAS not being all that great, but I don't know much about it.
This seems to be the best idea to me.
What are your opinions? How should I approach this problem?