Using a fake salt to thwart brute force attacks

Working on a php login script and want to avoid Captcha, and challenge questions. I was thinking about implementing a ID#, ID and password login prompt.

All users already have a state license number assigned to them and I was thinking about using those numbers for a two-factor authentication. If they enter a license number and login ID that didn't match, they get a fake salt and automatically fail the password check.

All brute force attempts for the ID and password would fail but the bot wouldn't know why. The bot would have to match a real ID# with a real ID before getting a real salt and a chance at attacking the Password. The only vulnerability I see would be if they knew one of the users, and discovered their license number. However, if they didn't know the ID, they still wouldn't have a chance. After 5 failed attempts to login with a real ID and ID# and bad password the account would lock or I would add delays into the process.

Is this idea worth pursuing and what about the countermeasures I suggested? Thoughts?

链接地址: http://www.djcxy.com/p/3696.html

上一篇: 强制登录尝试

下一篇: 用假盐来阻止蛮力攻击