Keeping track of failed login attempts

2018-06-07 00:35:39

This question is essentially language-agnostic, but in my case I'm using PHP for anyone who wants to know.

I would like to keep track of the number of failed login attempts a user had, so that after X failed attempts a CAPTCHA is displayed. The only purpuse this would have is preventing brute-force attacks. It doesn't have to be an extremely secure way, just annoying enough to delay whoever is brute-forcing.

I was thinking of creating a session variable $_SESSION['failedLoginAttempts'] and to increase it every time a failed login attempt is detected. The attacker could still alternate browsers or delete his cookies to keep going, but this would make him (ie whatever tool he's using to perform the brute-force) waste a couple of seconds more for every attempt, so the number of attempts would be greately lowered.

From a couple attacks from second to a couple attacks per minute would be ideal, then the attack would be negligible.

Is this approach correct or am I missing something? Also, what's the best practice in these cases?

You're best off logging this in the database attached to the user ID. This is because a determined attacker isn't going to be using a web browser for brute force; it's pretty straightforward to build a script in most any language that would make repeated login attempts and ignore the cookies entirely, or reset the cookies after every attempt.

Also keep in mind if you store your password encrypted in your database.

PHP or MySQL should take the user input and encrypt that.

For example (not real and not safe code)

$query = "SELECT * FROM user WHERE user = " . $_POST['username'] . " AND password " . sha512($_POST['password']);

What if your server can take up to 8 Mb data in post requests. That attacker can post 1 Mb as password, Trying to DDOS on the encryption to keep the CPU of the server on high load.

链接地址: http://www.djcxy.com/p/21618.html

上一篇: 使用Rack :: Attack进行消防登录尝试

下一篇: 跟踪失败的登录尝试