Limit failed logins attempts
in [General]
|
From: Juan Rodriguez Monti on 9 Aug 2010 08:30 Hi guys, I would like to know what do you suggest to implement a limit for failed login attempts. I thought that might be a good idea, to define a session variable called ( failedattempts ), then check and if $failedattempts is greater than, suppose, 4 write to a Database ( ip, username and last-time-attempt ). If ater that, the user/bot tries again to login unsuccessfully, then the system should ban that user & ip combination. Some questions about this situation: - Do you think that is a good idea to use sleep() ?. - How should I send a 503 HTTP error to the user after 5 attempts ? - Is this a good idea to do all this work for this security purpose ? - Do you know/suggest a better way to solve this? Thanks in advance, Juan
From: Peter Lind on 9 Aug 2010 08:54 On 9 August 2010 14:30, Juan Rodriguez Monti <juan(a)rodriguezmonti.com.ar> wrote: > Hi guys, > I would like to know what do you suggest to implement a limit for > failed login attempts. I use velocity control (or whatever it is called). After the first failed attempt, set a ban-period before another login is possible for the account - start at 1 second. After each consecutive fail, double the period. > I thought that might be a good idea, to define a session variable > called ( failedattempts ), then check and if $failedattempts is > greater than, suppose, 4 write to a Database ( ip, username and > last-time-attempt ). If ater that, the user/bot tries again to login > unsuccessfully, then the system should ban that user & ip combination. > > Some questions about this situation: > > - Do you think that is a good idea to use sleep() ?. No. That won't achieve much except annoy legitimate users. > - How should I send a 503 HTTP error to the user after 5 attempts ? user header(). I would send a 403 > - Is this a good idea to do all this work for this security purpose ? Making sure that noone can try bruteforcing an account is a good idea. Just make sure you cannot use this security measure to lock out an account. > - Do you know/suggest a better way to solve this? Velocity control, as stated. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype>
From: Richard Quadling on 9 Aug 2010 08:57 On 9 August 2010 13:30, Juan Rodriguez Monti <juan(a)rodriguezmonti.com.ar> wrote: > I thought that might be a good idea, to define a session variable > called ( failedattempts ), then check and if $failedattempts is > greater than, suppose, 4 ... As sessions are connected to a request through a session cookie, putting the failed attempts in the session for checking later is a bad idea. A script attempting to crack your security will most likely NOT be using cookies. So each request, all the many millions of them, will seem to be clean/virgin requests, not multiple attempts. Each request will create a blank new session with 0 previous attempts. Richard.
From: "Bob McConnell" on 9 Aug 2010 09:00 From: Juan Rodriguez Monti > I would like to know what do you suggest to implement a limit for > failed login attempts. > > I thought that might be a good idea, to define a session variable > called ( failedattempts ), then check and if $failedattempts is > greater than, suppose, 4 write to a Database ( ip, username and > last-time-attempt ). If ater that, the user/bot tries again to login > unsuccessfully, then the system should ban that user & ip combination. We have two columns in the user table, login_attempts and u_touch. The first is an integer, the second is a time stamp. The second is updated to now every time the user requests a page. Each time a login attempt fails, the first column is incremented. If the first column exceeds 3 when a new attempt is made, the previous time in the second must be more than 30 minutes old. The first column is reset to 0 on a successful login, or 1 on an unsuccessful attempt more than 30 minutes after the previous attempt. The error message is the same for all login failures, no matter what the cause. While logged in, if a page is requested with the value of u_touch more than ten minutes old, the user is automatically logged out. Bob McConnell
From: Richard Quadling on 9 Aug 2010 09:10
On 9 August 2010 14:04, Juan Rodriguez Monti <juan(a)rodriguezmonti.com.ar> wrote: > 2010/8/9 Richard Quadling <rquadling(a)gmail.com>: >> On 9 August 2010 13:30, Juan Rodriguez Monti <juan(a)rodriguezmonti.com.ar> wrote: >>> I thought that might be a good idea, to define a session variable >>> called ( failedattempts ), then check and if $failedattempts is >>> greater than, suppose, 4 ... >> >> As sessions are connected to a request through a session cookie, >> putting the failed attempts in the session for checking later is a bad >> idea. A script attempting to crack your security will most likely NOT >> be using cookies. So each request, all the many millions of them, will >> seem to be clean/virgin requests, not multiple attempts. Each request >> will create a blank new session with 0 previous attempts. > > Good point. Thanks. > > So, what should I use instead of sessions to check this ?. > > Juan > You could suspend the account after 3 bad logins. Nice and simple. A "FailedLoginsSinceLastLogin" counter against the account in the DB should be enough. If that exceeds your limit, then they can't login. They will have to re-authenticate in some other way. When that is successful, then the value can be cleared. Bob's way looks good. |