2

Aim is to prevent (as much as possible) brute force attacks.

One solution php sleep(), but read that it uses much of server resources (for example, here http://bytes.com/topic/php/answers/745681-how-does-sleep-work).

Other solution, record number of logins in mysql, after 2nd or 3rd failed login, echo and validate captcha, after 5-6 failed logins set some timelimit (how to do without sleep())... etc. Question is: does such method will use less system resources?

Please advice on some good method to prevent brute force atacks... may be after certain number of failed login attempts to redirect somewhere, or to display some different content....?

  • The second solution you describe sounds reasonable. `sleep()` sounds like a bad idea. – Pekka Feb 16 '13 at 13:51
  • There's good resources when you search SO for `php brute force`, for example [Brute-force/DoS prevention in PHP](http://stackoverflow.com/q/1727329) – Pekka Feb 16 '13 at 13:52
  • Second solution is the way to go...https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks and http://stackoverflow.com/questions/4819464/increasing-time-delay-for-login-to-stop-bruteforcing-good-idea may help – Engineer Feb 16 '13 at 13:52
  • Question is if recording data in mysql does not use much of system resources? if not then for example, after 10th failed attempt record in mysql datetime ~ 15 minutes after current time and display different content for the user... but how much resources it uses? Record datetime in mysql, then on each submit, connect to database, select datetime, compare with current datetime... May be some better way exists? –  Feb 16 '13 at 14:00

1 Answers1

1

Your question "Prevention against bruteforce" is extremely debatable and technical.
I agree that using sleep() for prevention against bruteforce is not a good choice at all. But bulletproof protection against bruteforce is not possible. Yes, what we can do is to make it as hard as possible.

My Algorithm:
1) 3 login attempts. If user logs-in fine, otherwise step 2. The very first catch is here in the first step. You will have to record all attempts and count it before you navigate further. Same in step 2.

2) 3 captcha validations. If user logs-in fine, otherwise step 3.

3) add username in blocklist and remove it back after specific time limit. Ofcourse, this adding and removing it back will use some extra resources and will surely rise some complications in-terms of implementations.

4) whenever any user tries to login, first check whether that username is in blocklist or not. If it is not in blocklist, step 1. If it is in blocklist, just display a message.

But, let me make it pristine that in order to bulid a system that can REALLY resist against bruteforce, you will have to study about the details and how-to about bruteforce. Its not a piece of cake. Dont expect to get a fullproof answer on SO or anywhere else.

I would also like to read from others about what their ideas are.

Bhavik Shah
  • 2,300
  • 1
  • 17
  • 32
  • Thanks for answer. I only think regarding this: add username in blocklist and remove it back after specific time limit. In such case it is possible that many usernames will get in block list.... –  Feb 16 '13 at 14:38
  • Yes. It would be a complete different table to store the usernames that are blocked temporarily. – Bhavik Shah Feb 16 '13 at 14:41