All geek questions in one place

Login Block After Failed Attempts X

I try to block the login for x minutes after unsuccessful attempts. I already plan to register user logins, so, I think, I could use the same database to calculate the need for blocking.

My questions:

  • Does it make sense to use the same log table to trigger the logic to block attempts y with errors?
  • Some people have a table only for failed attempts, and I heard that they simply increase the number of failed logins. This does not make sense, since all they store is the number of failed attempts, and not for how long. 3 failed attempts in 10 minutes is not the same as 3 failed attempts in 3 days. Does the time interval matter? You block after unsuccessful attempts x, period or x failed attempts for the y-time interval. And what is the best time frame for this?
  • can someone clarify the approach to this practice?
+4
source share
2 answers

You need what is called a password search box.

Basically 2 fields in the database, one LastPasswordAttempt (datetime) and PasswordAttemptCount (int)

Then at each login, check when the last LastPasswordAttempt occurred, and if it was the last, say 10 minutes - increase the PasswordAttemptCount, otherwise reset by 0 (or 1, because they just worked).

In the same logic, check if PasswordAttemptCount is equal to 5 or more, if this is to deny the user access. You may have a 3rd field that blocks them for several hours or a day.

i.e. CanLoginAfter (datetime), which you can set per day from the last password attempt.

Hope this helps

+7
source

One approach is to do this:

  • user_lockout: user_id, expires_dt (may be part of a regular user table)
  • failed_login_log: user_id, dt (may be part of another log table)

When trying to log in for user_id make sure expires_dt is in the past or NULL. (If the account is blocked in the future.)

After an unsuccessful login, insert the entry into failed_login_log , and then count the number of failed logins in the last X minutes ( WHERE dt > DATE_SUB(NOW(), INTERVAL x MINUTES) ).

If this score is greater than Y, update user_lockout.expires_dt to NOW() + Z MINUTES .

This allows you to lock your account in Z minutes after unsuccessful attempts to Y in X minutes.

+1
source

Source: https://habr.com/ru/post/1314686/

More articles:


All Articles