login timeout after failed attempts

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

login timeout after failed attempts

Post by s.dot »

I've seen this on many web sites, and I implent it into one of mine. Say you have it set up so if a user fails a login 5 times, they must wait 15 minutes to try again.

Perfect.

But, what if some script kiddy decides to run a script after he's gathered hundreds of login usernames. Effectively disabling the login for hundreds of members at a time?

I don't see how something like that can be avoided.. unless you make sure the form came from your domain.. and even then, that's not unstoppable for an attack like this to happen.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

One time tokens would require this hypothetical script kiddie to request the page and parse it. Hit him where it counts a bit, bandwidth. :)

Were you asking a question?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

even if there were one-time tokens

what's to stop... say.. a top frame submitting javascript to a bottom frame that contains my actual login page. The javascript sends a predefined username and a random password, then submits the bottom frames form.

This scenario would be using my actual form (and the token generated) to submit the form.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

scottayy wrote:even if there were one-time tokens

what's to stop... say.. a top frame submitting javascript to a bottom frame that contains my actual login page. The javascript sends a predefined username and a random password, then submits the bottom frames form.

This scenario would be using my actual form (and the token generated) to submit the form.
It's only a temporary lock. You could always log the IP addresses along with failed logins.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

So, that's the only con I can think of to using this type of system.

In general terms, are you for or against login locking after X fails in X tries?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I have no problem with locking accounts automatically for login failures. Three or five attempts to a temporary lock is pretty customary on systems that use this. Some systems will ramp up the lock duration if they happen back-to-back.
Post Reply