Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    Regular Coder
    Join Date
    Oct 2011
    Posts
    237
    Thanks
    11
    Thanked 5 Times in 5 Posts

    preventing brute force

    Hi guys, as a couple of you guys might know from my last post if you read it.

    I am looking into making my site more secure.

    Anyway i have setup the login so that the login sets a session and when submits the login form it checks if session is active.

    If the session is not active it disables the form and asks for the user to enable sessions.

    If sessions are enabled then the form generates.

    It then checks the username, not the password yet.

    If the username is not correct it gives a session of login attempt +1 and when it reaches 3 it then locks the form and gives a message

    If the username exists it then pulls from the database the salt, pepper and password so it can then check against the password given.

    The passwords are mashed together with the salt and pepper and sha256 encrypted.

    If the password does not match it then gives a session of login attempt +1 and when it reaches 3 it then locks the form and gives a message.

    If all is ok it then does all the magic.

    Incase anyone is thinking how i am including the username into the database, i am using the prepared statements of PDO which for what i read takes care of any nasty people.

    anyway my question is: Is this a secure way of doing things?

    Thanks
    Last edited by devinmaking; 01-30-2013 at 09:44 AM.

  • #2
    New Coder
    Join Date
    Dec 2012
    Location
    USA
    Posts
    82
    Thanks
    3
    Thanked 17 Times in 17 Posts
    You would need to track the users' IP and their session ID - although, both are easily duped.

    Locking a user out after 3 attempts is practical, but it will not stop an experienced user.

    Locking out a Username is a good practice, but how would you allow the REAL user access if simultaneously his account is being locked out by a spammer?

  • Users who have thanked TFlan for this post:

    devinmaking (01-31-2013)

  • #3
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,641
    Thanks
    0
    Thanked 649 Times in 639 Posts
    On the sites where I require logins I don't lock accounts after any number of wrong passwords. Instead I lock the account for 15 seconds after any wrong password or attempt to login while the account is locked. That way the real owner isn't inconvenienced by their account being locked by someone else trying to break in and locking their account and any brute force attack will either fail completely if they don't guess right first go or if they do build in sufficient delay between attempts it will likely take many millions of years before they get to the right password (but I wouldn't expect them to build in such a delay which means that only their first guess is even considered).
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • Users who have thanked felgall for this post:

    devinmaking (01-31-2013)

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    ^
    This is very practical; a per basis flood control. Slows down brute, minimal interruption to legit. If you run a posting type system, you can actually make use of the IP only to the sense that if the IP has been used in the past for posting, that chances are somewhat high that the user is legit and simply keyed in wrong. You can reduce flood controls for such situation to like 5 seconds which is about the time for them to read the message and try again.
    I also implement temporary account lockouts though. I time them variably, but default would be set for 5 minutes. After three such attempts (of 5 or so attempts, so say 15 fails in total), I permanently lock the account, and send an email to the registered account with unlocking procedures to follow. This way they don't have to wait for me to unlock them.
    If the user's anything like I am, and I'm quite patient in attempts, after about 5 or 6 failed attempts, I then run password reset procedures sine I've obviously forgotten my password by this point. So make sure you create a password reset mechanism as well.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • Users who have thanked Fou-Lu for this post:

    devinmaking (01-31-2013)

  • #5
    Regular Coder
    Join Date
    Oct 2011
    Posts
    237
    Thanks
    11
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by Fou-Lu View Post
    ^
    This is very practical; a per basis flood control. Slows down brute, minimal interruption to legit. If you run a posting type system, you can actually make use of the IP only to the sense that if the IP has been used in the past for posting, that chances are somewhat high that the user is legit and simply keyed in wrong. You can reduce flood controls for such situation to like 5 seconds which is about the time for them to read the message and try again.
    I also implement temporary account lockouts though. I time them variably, but default would be set for 5 minutes. After three such attempts (of 5 or so attempts, so say 15 fails in total), I permanently lock the account, and send an email to the registered account with unlocking procedures to follow. This way they don't have to wait for me to unlock them.
    If the user's anything like I am, and I'm quite patient in attempts, after about 5 or 6 failed attempts, I then run password reset procedures sine I've obviously forgotten my password by this point. So make sure you create a password reset mechanism as well.
    So having a 15 minutes is a little to much then.

    I have a forgot password function which generates a random 10 letter and number string for the first login and then prompts the user to change the password before he/she can do anything else when in the account.

    Do you guys know any hackers who when ive finished can test my site for issues so that i can make sure that others cant take advantage of them?

  • #6
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,641
    Thanks
    0
    Thanked 649 Times in 639 Posts
    Quote Originally Posted by devinmaking View Post
    So having a 15 minutes is a little to much then.
    Would you want to wait that long to try again if your finger slipped and you mistyped your password?

    You might lock an account for that long after several wrong passwords have been entered but not on each attempt.

    The suggestion of a lock for a few seconds is after each and every wrong attempt or attempt while locked. So typing a wrong password would lock the account for a few seconds - which most people would use up simply in realising that they typed it wrong and to retype it - so that a person shouldn't even notice the lock. Only a bot that is submitting 1000 passwords a second would be affected.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #7
    New Coder
    Join Date
    Dec 2012
    Location
    USA
    Posts
    82
    Thanks
    3
    Thanked 17 Times in 17 Posts
    Most phones have a very good anti-randomly-guessing-passwords system.

    You have 5 attempts, after you fail 5 times you wait 60 seconds, then if you fail again it's 5 minutes, then again it's 10 min - or whatever the intervals are. The point is is that the more times you fail the longer you have to wait, this shuts out brute force attacks, but allows the user the chance to retry in just a few moments and at the same time give the user the sense that "hey, this website really cares about my account"

    Be vigilant. The forget password section usually contains hole(s) for attackers to use. I remember back like ~5 years ago, Joomla had a vulnerability where you could type in literally just ' in the password recovery key field and it would instantly give you access to resetting the super-users password. Lawlz. <offtopic> Every site i went to that was Joomla driven, I had super-user access, it was kinda fun - My school had this vulnerability as well. wrote a script where you could press F12 on any page and it would black out the page and load a message saying "LOL HACKED" then load a game of snack, that made classes a bit more fun </offtopic>

    Quote Originally Posted by devinmaking View Post
    Do you guys know any hackers who when ive finished can test my site for issues so that i can make sure that others cant take advantage of them?
    I would love to be fully allowed to deface your website
    Last edited by TFlan; 01-31-2013 at 05:33 PM.

  • #8
    Regular Coder
    Join Date
    Aug 2012
    Posts
    142
    Thanks
    39
    Thanked 3 Times in 3 Posts
    So what kind of code sets up this time limit?

  • #9
    Regular Coder
    Join Date
    Oct 2011
    Posts
    237
    Thanks
    11
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by TFlan View Post
    Most phones have a very good anti-randomly-guessing-passwords system.

    You have 5 attempts, after you fail 5 times you wait 60 seconds, then if you fail again it's 5 minutes, then again it's 10 min - or whatever the intervals are. The point is is that the more times you fail the longer you have to wait, this shuts out brute force attacks, but allows the user the chance to retry in just a few moments and at the same time give the user the sense that "hey, this website really cares about my account"

    Be vigilant. The forget password section usually contains hole(s) for attackers to use. I remember back like ~5 years ago, Joomla had a vulnerability where you could type in literally just ' in the password recovery key field and it would instantly give you access to resetting the super-users password. Lawlz. <offtopic> Every site i went to that was Joomla driven, I had super-user access, it was kinda fun - My school had this vulnerability as well. wrote a script where you could press F12 on any page and it would black out the page and load a message saying "LOL HACKED" then load a game of snack, that made classes a bit more fun </offtopic>



    I would love to be fully allowed to deface your website
    Dont want it defacing lol, just advising where the holes are.


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •