Preventing Brute Force Logins on Websites

 

As a response to the recent Twitter hijackings and Jeff's post on Dictionary Attacks, what is the best way to secure your website against brute force login attacks?

Jeff's post suggests putting in an increasing delay for each attempted login, and a suggestion in the comments is to add a captcha after the 2nd failed attempt.

Both these seem like good ideas, but how do you know what "attempt number" it is? You can't rely on a session ID (because an attacker could change it each time) or an IP address (better, but vulnerable to botnets). Simply logging it against the username could, using the delay method, lock out a legitimate user (or at least make the login process very slow for them).

Thoughts? Suggestions?

I think database-persisted short lockout period for the given account (1-5 minutes) is the only way to handle this. Each userid in your database contains a timeOfLastFailedLogin and numberOfFailedAttempts . When numbeOfFailedAttempts > X you lockout for some minutes.

This means you're locking the userid in question for some time, but not permanently. It also means you're updating the database for each login attempt (unless it is locked, of course), which may be causing other problems.

There is at least one whole country is NAT'ed in asia, so IP's cannot be used for anything.

In my eyes there are several possibilities, each having cons and pros:

Forcing secure passwords

  • Pro : Will prevent dictionary attacks
  • Con : Will also prevent popularity, since most users are not able to remember complex passwords, even if you explain to them, how to easy remember them. For example by remembering sentences: "I bought 1 Apple for 5 Cent in the Mall" leads to "Ib1Af5CitM".

    • Lockouts after several attempts

  • Pro : Will slow down automated tests
  • Con : It's easy to lock out users for third parties
  • Con : Making them persistent in a database can result in a lot of write processes in such huge services as Twitter or comparables.

    • Captchas

  • Pro : They prevent automated testing
  • Con : They are consuming computing time
  • Con : Will "slow down" the user experience
  • HUGE CON : They are NOT barrier-free

    • Simple knowledge checks

  • Pro : Will prevent automated testing
  • Con : "Simple" is in the eye of the beholder.
  • Con : Will "slow down" the user experience

    • Different login and username

  • Pro : This is one technic, that is hardly seen, but in my eyes a pretty good start to prevent brute force attacks.
  • Con : Depends on the users choice of the two names.

    • Use whole sentences as passwords

  • Pro : Increases the size of the searchable space of possibilities.
  • Pro : Are easier to remember for most users.
  • Con : Depend on the users choice.

    • As you can see, the "good" solutions all depend on the users choice, which again reveals the user as the weakest element of the chain.

    Any other suggestions?

    You could do what Google does. Which is after a certain number of trys they have a captacha show up. Than after a couple of times with the captacha you lock them out for a couple of minutes.

    链接地址: http://www.djcxy.com/p/3690.html

    上一篇: 保护网站管理部分的最佳做法是什么?

    下一篇: 防止网站上的蛮力登录