6

I've seen web apps with limitations for user login attempts.

Is it a security necessity and, if so, why?

For example: you had three failed login attempts, let's try again in 10 minutes!!

Kate Gregory
  • 18,808
  • 8
  • 56
  • 85

8 Answers8

7

I saw a creative approach to this once...

For each login attempt, that fails, the lockout time increases... exponentially.

attempt | lockout time
======================
   1    |     2s
   2    |     4s
   3    |     8s
   4    |    16s
   5    |    32s
   6    |    64s
   7    |   128s
   8    |   256s
   9    |   512s
  10    |  1024s

In theory, it lets user make a mistake or two, but as soon as it appears to become a "hacking" attempt, the hacker gets locked out for longer and longer time periods.

I haven't used this myself (yet), but conceptually I quite like the idea. Of course on successful login, the counter is reset.

scunliffe
  • 62,582
  • 25
  • 126
  • 161
  • 2
    I have implemented something like this before, but found that it was not nearly forgiving enough; sometimes people genuinely forget their password and need to try several different combinations - perhaps try something like this but make sure the first 6 are all 0s, then start ramping up, shallowly. – thomasrutter Mar 30 '09 at 05:02
  • yeah that would work fine too. The idea is just to limit any "casual" attempts at hacking entry. Serious systems would need to take into account signs of a dictionary attack, Botnets, multiple IPs etc. – scunliffe Mar 30 '09 at 14:57
  • 1
    @Mark I agree and understand... thus the lockout times need to start small, and get bigger later... fumbling 3 or 4 times should be ok... but 6 or more usually indicates a hack attempt. The times I posted were just random... I'd adjust according to your needs (if you were to use this logic) e.g. I'd also enable a link or show a phone number where a user can call and get the counter reset if needed. – scunliffe Dec 05 '11 at 20:02
  • 1
    For that, something like this should help: `$lockout_time = pow(2, $attempts+1);` – helderk Jul 14 '21 at 16:18
2

The limiting of how many attempts to be made on a website are to prevent brute force (automated) attacks your site. If you don't limit these attempts, a hacker can set up a script to keep guessing passwords until it finds one, and this may impact the availability of your web server.

Typically, you may want to time the user out (10 minutes as you mentioned) after 3 attempts, and lock them out after 6 or 9 consecutive repeated attempts, forcing the user to contact you in order to unlock their account. This is put into place because someone can modify their scripts to adjust your timeout.

Roy Rico
  • 3,683
  • 6
  • 35
  • 36
  • so I have to implement the code when the user credentials has failed & it's not necessary when an email address (for example) has an invalid format. true? and is it ok to implement this by cookies or I have to do it using dbs? thanks for you reply :) –  Mar 25 '09 at 00:18
  • depending on how secure you want your site. The best way to determine what you need to do is to log each attempt... each time a user logs in, track their email, username, ip address and if their password was right or not. – Roy Rico Mar 25 '09 at 00:25
  • (continued..) be careful not to log the actual password typed. then if u see a trend, change your code to account for it. I wouldn't consider a typo a strike against the user, unless people start abusing it. – Roy Rico Mar 25 '09 at 00:29
  • 1
    I would stay away from using cookies, as they are easy to erase - in Firefox (Ctrl+Shift+Del). And any attacker wishing to brute-force your site would easily bypass that. CAPTCHA plus a lock-out period would be advisable. – St. John Johnson Mar 25 '09 at 03:16
  • 6
    You do not want to lock a user out. This is known as Account Lockout Vulnerability (http://www.owasp.org/index.php/Account_lockout_attack). – Tower Apr 25 '10 at 11:24
  • @Roy Rico: Kai Sellgren is right; you should also consider the side effects of such a measure. Locking a user out is a Denial of Service attack. – Gumbo Jul 02 '10 at 08:45
2

If users can set their own passwords, some bot/kid will try to log in with a list of common passwords, and succeed. And if they don't know any users, they will try common names like admin, simon, rico, etc.

It doesn't help to just flag the user in session, as they can just remove the cookie or query param on their end. You need to have a count of failed login attempts for both IP and login name. Maybe be more forgiving for the IP as it can be shared among many users.

OIS
  • 9,833
  • 3
  • 32
  • 41
2

Clarification This is a completion to the other answers. Using a good implemented captcha alongside an anti-bruteforce mechanism using sessions for example.
The questioner marked this as accepted assuming that captchas are unreadable by machines (she's almost right) and so it's getting negative points, because people think it's not a complete answer & they're right.

Also using a good implemented CAPTCHA could be an alternative way to enpower your application security against brute-force attacks. there's a wide variety of captcha providers available for free, let's try the easy way if you're in a hurry. Also please consider that there's people outta here saying that "oh, no! this captcha thing is not secure enough and they're right sometimes!".

"For those of you who don't know, a CAPTCHA is program that can tell whether its user is a human or another computer. They're those little images of distorted text that you translate when you sign up for Gmail or leave a comment on someone's blog. Their purpose is to make sure that someone doesn't use a computer to sign up for millions of online accounts automatically, or.." ref.

Bill the Lizard
  • 398,270
  • 210
  • 566
  • 880
sepehr
  • 17,110
  • 7
  • 81
  • 119
  • 2
    @artarad: I'd be very annoyed if I got a captcha every time I tried to login. I don't think it should be displayed until they fail like 3 times, and then maybe give them another 3 or so tries before locking them out for a period of times. Captchas aren't unbreakable by machines...just more difficult. I think my prof cracked over 90% of em with his script. – mpen Dec 04 '11 at 19:09
1

For my own projects I wrote a generalized 'floodcontrol' library which handles this sort of thing.

It allows me to specify how many attempts may be made in X amount of time. It allows for a certain number of 'grace' attempts in a short time, so that only really unusual behaviour will be caught.

I record in the database a few things:

  • The IP address (or the first 24 bits of it)
  • The action that was attempted (ie 'log in', 'search', 'comment')
  • The time of the attempt
  • Number of attempts (attempt counter)

For each attempt made I query against the partial IP address and the action, and if a previous attempt was made within a certain window of time then I increment the attempt counter for that attempt. If the attempt counter exceeds the number of grace attempts allowed then I check whether the last attempt was within X seconds of now and if so, return false - therefore the action will be blocked (and the user will be told to wait X seconds before trying again). If the attempt counter is below the number of grace attempts then I return true and let it slide.

If a person with the same IP comes by later, then the previous attempt count won't be fetched, because it will be too long ago.

thomasrutter
  • 114,488
  • 30
  • 148
  • 167
  • 1
    Be careful of people using the same IP Address on a network. If 10 people were in an apartment with one external IP and they attempted to search your site, they would all be locked out immediately. – St. John Johnson Mar 25 '09 at 03:18
  • Good point. The number of grace logins should be high enough that the chance of people being affected by normal logging in activity should be very low. For example, if 20 people from similar IP addresses all log in within a period of a few minutes then it may trigger if the grace logins is < 20. – thomasrutter Mar 25 '09 at 15:39
  • 1
    In other words increasing the tolerance would be the only option; IP address is unreliable at identifying unique people but on the internet it is almost the only identifier you have - you could also take user-agent string into account though. – thomasrutter Mar 25 '09 at 15:41
0

Yes, it's necessary to protect accounts from sophisticated brute force attacks - as in, using bots and dictionary files - down to someone just trying to guess the password of the account.

L. Cosio
  • 227
  • 3
  • 9
0

I reckon putting a 'failed attempts' counter in the DB would be the safest and easiest way to go. That way the user can't bypass it (by disabling cookies). Reset on successful login of course.

You can count by IP and/or by username. Advantage of IP is that you can block one person trying to hack multiple accounts. If you count by username you can block people using a server farm and won't accidentally throttle people on the same network.

mpen
  • 272,448
  • 266
  • 850
  • 1,236
  • How would a user be unable to bypass it and how would it tell two users apart? – thomasrutter Mar 30 '09 at 05:03
  • IP address of course. Yes, this could cause problems for multiple users with the same IP... but if you just show a CAPTCHA or something when they've used up their attempts, I don't think it's a big loss. Did this really warrant a down vote? – mpen Mar 30 '09 at 21:31
  • 2
    You could always count it by the username, too. So that it's username+IP Address segregated, rather than just IP Address. That would mean that a shared IP wouldn't cause problems unless people were trying for the same account. Of course, that would allow distributed bot nets free reign, so why not just kill the IP address entirely? – RonLugge Dec 04 '11 at 17:44
  • @RonLugge: Good point. This actually came up at work not too long ago, I think we decided to just use username too. – mpen Dec 04 '11 at 19:06
0

Resetting the failed attempts after a correct login almost makes the whole system worthless.

Any registered user could then do three guesses on someone else's account and password, then log in with their own to reset the counter, and repeat — that can be automated, too. So a normal registered user can brute force admin passwords, for example.

The reset needs to be done by the admin, not by simply logging in successfully.

Flygenring
  • 3,818
  • 1
  • 32
  • 39
Matt
  • 9
  • 1
  • 4
    Not if the failed login attempts are counted against the specific user account that someone is trying to log in to. – Ren Nov 14 '12 at 09:25
  • Having a single, central counter for failed logins, as your answer implies, would also imply that if you miss three guesses then I would have to wait a bit to attempt my first login :/ – Flygenring Nov 23 '17 at 15:04