Page 1 of 1

login timeout after failed attempts

Posted: Sun Feb 25, 2007 5:01 pm
by s.dot
I've seen this on many web sites, and I implent it into one of mine. Say you have it set up so if a user fails a login 5 times, they must wait 15 minutes to try again.

Perfect.

But, what if some script kiddy decides to run a script after he's gathered hundreds of login usernames. Effectively disabling the login for hundreds of members at a time?

I don't see how something like that can be avoided.. unless you make sure the form came from your domain.. and even then, that's not unstoppable for an attack like this to happen.

Posted: Sun Feb 25, 2007 6:57 pm
by feyd
One time tokens would require this hypothetical script kiddie to request the page and parse it. Hit him where it counts a bit, bandwidth. :)

Were you asking a question?

Posted: Sun Feb 25, 2007 7:04 pm
by s.dot
even if there were one-time tokens

what's to stop... say.. a top frame submitting javascript to a bottom frame that contains my actual login page. The javascript sends a predefined username and a random password, then submits the bottom frames form.

This scenario would be using my actual form (and the token generated) to submit the form.

Posted: Sun Feb 25, 2007 7:13 pm
by feyd
scottayy wrote:even if there were one-time tokens

what's to stop... say.. a top frame submitting javascript to a bottom frame that contains my actual login page. The javascript sends a predefined username and a random password, then submits the bottom frames form.

This scenario would be using my actual form (and the token generated) to submit the form.
It's only a temporary lock. You could always log the IP addresses along with failed logins.

Posted: Sun Feb 25, 2007 8:49 pm
by s.dot
So, that's the only con I can think of to using this type of system.

In general terms, are you for or against login locking after X fails in X tries?

Posted: Mon Feb 26, 2007 9:07 am
by feyd
I have no problem with locking accounts automatically for login failures. Three or five attempts to a temporary lock is pretty customary on systems that use this. Some systems will ramp up the lock duration if they happen back-to-back.