Geek Answers Handbook

Do I need to protect login?

I have a login page. Do I need to protect it with Captcha or how do I handle it?

For example, if a person knows the username, he can use curl or something else and repeatedly try to guess passwords. He will use many MySQL queries, and he will eat my resources.

So should I use Captcha to login? Or maybe I should store how many times a person tried to guess the password using $ _SESSION, and if he guessed that the password is 10 times wrong, would I show Captcha? Is it safe to use such information in $ _SESSION? Maybe I should allow a person to enter a login only every 10 seconds also using $ _SESSION? Will it be 100% safe? Or what would you suggest to me?

EDIT: Please read my comment by post on Eljakim.

+4
source share
8 answers

Do not go to the session.

Captcha might help, but it annoys your regular users.

You might want to track in your database how many invalid logins have been checked from a specific IP address or a specific username within (say) the last 10 minutes. If it crosses a certain threshold, just block this username or IP address for a while.

Do not do this in a session! An attacker probably won’t send a cookie that supports the session, or may simply trick them.

+4
source

Personally, I would not choose Captcha to handle several failed login attempts. Instead, you can store the counter in your database and increment it with every failed login attempt. When you reach your specific number of failures (5 or 10 or something else), you can create a blocking period or ten minutes in the database during which you will not receive logins from this user.

This protects your users from forced password entry. $_SESSION will not be effective here because the tools used to force enforcement are unlikely to accept or adhere to session session cookies.

+1
source

May I suggest adding a call to sleep() to add additional inconvenience to login loaders?

Even two seconds of sleep cumulatively add to the level of time needed to set the brute force attack, as you describe.

+1
source

3 things:

  • Use Recaptcha (run by google) Additional information HERE
  • Allow only a certain number (10) of login attempts per hour from a unique IP address before a timeout, such as an hour or two, has elapsed.
  • Set a cookie on successful login and don’t show Captcha if the user has this cookie so as not to annoy ordinary visitors.

This will take care of all hacking attempts. Based on your traffic and the number of hacking attempts you receive, you can play with numbers.

+1
source

Do not worry about your mysql queries, but worry about the user password. Insert a row into the database every time a user tries to log in (and does not work) and select these rows every time he / she tries to log in again) if login attempts> 5 β†’ restrict the logon

0
source

Here you can have several levels of security. One option is to allow, say, 5 login attempts every X minutes. This will stop the most severe injuries. (You can also ban known brutal wounds over IP or something else). Adding CAPTCHAs will obviously be even more useful. For example, many unsuccessful attempts to simply display a hidden image using some PHP image functions. The more features you add, the safer. Please note that CAPTCHA is a problem for many legitimate users.

0
source

Invalid retry counter in $ _SESSION. If I do not accept your cookies in my bruteforce-script, I will get a new session for each request.

If you are trying to prevent any DOS attacks: Limit the number of IP requests to a sufficient amount over a period of time.

If you are just trying to prevent password guessing: use "captcha" or save the account of failed logins in your database. (Maybe block the user after 3 failed attempts for an hour or so?)

0
source

I always choose one of two options: either a type pin β€” three failed passwords, and you send the user a new password. Or you have a reload period of 2 ^ (unsuccessful logins - 5) - very quickly give a huge delay. I.e. 7 will not give 2 ^ (7-5) = 4 s with a delay.

0
source

More articles:


All Articles