Login/Register
How can I prevent brute-force attacks?
Asked Answered
securityauthenticationbrute-force
O

1

6

I'm working on authentication and adding brute-force protection. I'm not sure how I should proceed.

Should I just do a flat block after 15 failed attempts for a certain IP address... or should I tie it to username? Should there be both a captcha threshold and a absolute cutoff?

Are there other patterns I should be following?

Okay answered 18/11, 2011 at 18:57 Comment(6)
It would be helpful to know what type of system you are using. Linux/Windows? Apache?Textualist
@hafi I mentioned website. I'm making an authentication library to run on ASP.Net, so the platform depends on who uses my library.Okay
I'd be more worried about a denial of service attack.Burse
This is pretty subjective; I've tried to tweak it to be more "good" than "bad" subjective. And, don't forget, we have a website for general security questions, Information Security.Tadich
@Will will you please migrate this question there. I didn't think about it when I asked it, but it would fit in a lot more there because it's not direct codeOkay
@Earlz: I'm going to ping one of their mods to see if it would be welcome. Its still a bit subjective, and sister site mods get real angry when SO mods migrate hinkey questions (search for "toilet" on Meta Stack Overflow to see what I mean). One of their mods can flag it for migration if they are okey dokeyTadich
S
5

If someone is really trying a brute force, he may have a range of IPs to work with. What you could do is put an ever increasing delay after each try, and making it username specific. CAPTCHAs can be beaten (to varying degrees) so put a captcha treshold, a 'slow things down' threshold and then just block it for an hour.

Note that brute forcing this manner is incredibly stupid so I'd be more worried about the attacker getting a copy of the passwords from the database through an injection or whatever.

Squires answered 18/11, 2011 at 19:2 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.