preventing brute force
Hi guys, as a couple of you guys might know from my last post if you read it.
I am looking into making my site more secure.
Anyway i have setup the login so that the login sets a session and when submits the login form it checks if session is active.
If the session is not active it disables the form and asks for the user to enable sessions.
If sessions are enabled then the form generates.
It then checks the username, not the password yet.
If the username is not correct it gives a session of login attempt +1 and when it reaches 3 it then locks the form and gives a message
If the username exists it then pulls from the database the salt, pepper and password so it can then check against the password given.
The passwords are mashed together with the salt and pepper and sha256 encrypted.
If the password does not match it then gives a session of login attempt +1 and when it reaches 3 it then locks the form and gives a message.
If all is ok it then does all the magic.
Incase anyone is thinking how i am including the username into the database, i am using the prepared statements of PDO which for what i read takes care of any nasty people.
anyway my question is: Is this a secure way of doing things?
You would need to track the users' IP and their session ID - although, both are easily duped.
Locking a user out after 3 attempts is practical, but it will not stop an experienced user.
Locking out a Username is a good practice, but how would you allow the REAL user access if simultaneously his account is being locked out by a spammer?
On the sites where I require logins I don't lock accounts after any number of wrong passwords. Instead I lock the account for 15 seconds after any wrong password or attempt to login while the account is locked. That way the real owner isn't inconvenienced by their account being locked by someone else trying to break in and locking their account and any brute force attack will either fail completely if they don't guess right first go or if they do build in sufficient delay between attempts it will likely take many millions of years before they get to the right password (but I wouldn't expect them to build in such a delay which means that only their first guess is even considered).
This is very practical; a per basis flood control. Slows down brute, minimal interruption to legit. If you run a posting type system, you can actually make use of the IP only to the sense that if the IP has been used in the past for posting, that chances are somewhat high that the user is legit and simply keyed in wrong. You can reduce flood controls for such situation to like 5 seconds which is about the time for them to read the message and try again.
I also implement temporary account lockouts though. I time them variably, but default would be set for 5 minutes. After three such attempts (of 5 or so attempts, so say 15 fails in total), I permanently lock the account, and send an email to the registered account with unlocking procedures to follow. This way they don't have to wait for me to unlock them.
If the user's anything like I am, and I'm quite patient in attempts, after about 5 or 6 failed attempts, I then run password reset procedures sine I've obviously forgotten my password by this point. So make sure you create a password reset mechanism as well.
So having a 15 minutes is a little to much then.
Originally Posted by Fou-Lu
I have a forgot password function which generates a random 10 letter and number string for the first login and then prompts the user to change the password before he/she can do anything else when in the account.
Do you guys know any hackers who when ive finished can test my site for issues so that i can make sure that others cant take advantage of them?
Would you want to wait that long to try again if your finger slipped and you mistyped your password?
Originally Posted by devinmaking
You might lock an account for that long after several wrong passwords have been entered but not on each attempt.
The suggestion of a lock for a few seconds is after each and every wrong attempt or attempt while locked. So typing a wrong password would lock the account for a few seconds - which most people would use up simply in realising that they typed it wrong and to retype it - so that a person shouldn't even notice the lock. Only a bot that is submitting 1000 passwords a second would be affected.
Most phones have a very good anti-randomly-guessing-passwords system.
You have 5 attempts, after you fail 5 times you wait 60 seconds, then if you fail again it's 5 minutes, then again it's 10 min - or whatever the intervals are. The point is is that the more times you fail the longer you have to wait, this shuts out brute force attacks, but allows the user the chance to retry in just a few moments and at the same time give the user the sense that "hey, this website really cares about my account"
Be vigilant. The forget password section usually contains hole(s) for attackers to use. I remember back like ~5 years ago, Joomla had a vulnerability where you could type in literally just ' in the password recovery key field and it would instantly give you access to resetting the super-users password. Lawlz. <offtopic> Every site i went to that was Joomla driven, I had super-user access, it was kinda fun - My school had this vulnerability as well. wrote a script where you could press F12 on any page and it would black out the page and load a message saying "LOL HACKED" then load a game of snack, that made classes a bit more fun </offtopic>
I would love to be fully allowed to deface your website
Originally Posted by devinmaking
So what kind of code sets up this time limit?
Dont want it defacing lol, just advising where the holes are.
Originally Posted by TFlan