Preventing Brute Force Logins on Websites

Question

As a response to the recent Twitter hijackings and Jeff\'s post on Dictionary Attacks, what is the best way to secure your website against brute force login attacks?

Answer 1

I think database-persisted short lockout period for the given account (1-5 minutes) is the only way to handle this. Each userid in your database contains a timeOfLastFailedLogin and numberOfFailedAttempts. When numbeOfFailedAttempts > X you lockout for some minutes.

This means you're locking the userid in question for some time, but not permanently. It also means you're updating the database for each login attempt (unless it is locked, of course), which may be causing other problems.

There is at least one whole country is NAT'ed in asia, so IP's cannot be used for anything.

Answer 2

Old post but let me post what I have in this the end 2016. Hope it still could help.

It's a simple way but I think it's powerful to prevent login attack. At least I always use it on every web of mine. We don't need CAPTCHA or any other third party plugins.

When user login for the first time. We create a session like

$_SESSION['loginFail'] = 10; // any number you prefer

If login success, then we will destroy it and let user login.

unset($_SESSION['loginFail']); // put it after create login session

But if user fail, as we usually sent error message to them, at the same time we reduce the session by 1 :

$_SESSION['loginFail']-- ; // reduce 1 for every error

and if user fail 10 times, then we will direct them to other website or any web pages.

if (!isset($_SESSION['loginFail'])) { 

     if ($_SESSION['login_fail'] < 1 ) {

     header('Location:https://google.com/'); // or any web page

     exit();

}
}

By this way, user can not open or go to our login page anymore, cause it has redirected to other website.

Users has to close the browser ( to destroy session loginFail that we created), open it 'again' to see our login page 'again'.

Is it helpful?