Enhancement
Prevent brute-force password guessing
Issue description
When n consecutive login attempts for user x are performed, the account should be locked for 24 hours. The user should receive an email enabling him to unlock the account with a click.
Developer comments
Unfortunately it is quite simple then to harass users: send 10 false login attempts. So i need to combine it with login throttling.
Interesting ideas from OWASP: introduce a random pause or use captchas after n failed attempts. This might do the trick against automated attacks (most important).
This should work: keep a record of the last consecutive failed login attempts. Temporarily disable account for five minutes when there is more than 10, but require a captcha already after 5. A successful login clears the record.
A human password guesser would need approx. 20 minutes for 10 attempts. The most harm a robot can do is set the account into captcha mode.
* Failed login 1, failed login 2, 3, 4
* Captcha: 5, 6, 7
* Captcha & disable for 5 min: 8, 9, 10, …
Failed login attempts are recorded for existing and non-existing user accounts.
|
Work sessions4
Start |
2021-03-08T09:11:36
|
End |
2021-03-08T16:17:26
|
Participant |
Robert Cerny
|
Start |
2021-03-09T09:07:48
|
End |
2021-03-09T12:30:04
|
Participant |
Robert Cerny
|
Start |
2021-03-09T12:46:20
|
End |
2021-03-09T16:30:13
|
Participant |
Robert Cerny
|
Start |
2021-03-10T07:17:47
|
End |
2021-03-10T08:13:46
|
Participant |
Robert Cerny
|
|
We are sorry
This page cannot be displayed in your browser. Use Firefox, Opera, Safari, or Chrome instead.