GetSimple Support Forum

GetSimple Support Forum > GetSimple > Feature Requests > brute force protection captchas
Full Version: brute force protection captchas
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

shawn_a

2013-03-13, 07:54:54
I want to implement some brute force protection for our logins.

I was thinking we could add a captcha after x many failed logins.

This makes it alot easier to handle than doing throttling delays which can open you up to dos attacks. Also avoid us having to do account locking which also can be a dos against a user.

Anyone have experience with captchas ?

Carlos

2013-03-16, 17:50:35
Guestbook, ARGuestbook, p01-contact, Pages Comments plugins use captchas.

shawn_a

2013-03-17, 00:35:06
Alternative is to lockout and send reset email with timed token link.

I am against time throttles, as it can allow dos attacks to ties up many threads on your web server.

We can implement host blocking but any hacker worth their salt will be using a proxy anonymizer.

Carlos

2013-03-17, 02:31:44
Maybe e.g. waiting 2^n seconds to allow logging after the n-th failed attempt?

shawn_a

2013-03-17, 08:59:29
The wait ties up a thread, an attacker could tie up all 200 threads in a php wait.

datiswous

2013-03-21, 23:47:08
I like this one:

http://www.josscrowcroft.com/projects/mo...ry-plugin/

But maybe that's not the info you want..

shovenose

2013-03-22, 03:58:18
Well, I think CAPTCHAs suck and are fairly useless. Can we secure it some other way?

shawn_a

2013-03-22, 04:16:50
how so ?
GetSimple Support Forum > GetSimple > Feature Requests > brute force protection captchas