+- GetSimple Support Forum (http://get-simple.info/forums)
+-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3)
+--- Forum: Feature Requests (http://get-simple.info/forums/forumdisplay.php?fid=7)
+--- Thread: brute force protection captchas (/showthread.php?tid=4453)
brute force protection captchas - shawn_a - 2013-03-13
I want to implement some brute force protection for our logins.
I was thinking we could add a captcha after x many failed logins.
This makes it alot easier to handle than doing throttling delays which can open you up to dos attacks. Also avoid us having to do account locking which also can be a dos against a user.
Anyone have experience with captchas ?
RE: brute force protection captchas - Carlos - 2013-03-16
Guestbook, ARGuestbook, p01-contact, Pages Comments plugins use captchas.
RE: brute force protection captchas - shawn_a - 2013-03-17
Alternative is to lockout and send reset email with timed token link.
I am against time throttles, as it can allow dos attacks to ties up many threads on your web server.
We can implement host blocking but any hacker worth their salt will be using a proxy anonymizer.
RE: brute force protection captchas - Carlos - 2013-03-17
Maybe e.g. waiting 2^n seconds to allow logging after the n-th failed attempt?
RE: brute force protection captchas - shawn_a - 2013-03-17
The wait ties up a thread, an attacker could tie up all 200 threads in a php wait.
RE: brute force protection captchas - datiswous - 2013-03-21
I like this one:
http://www.josscrowcroft.com/projects/motioncaptcha-jquery-plugin/
But maybe that's not the info you want..
RE: brute force protection captchas - shovenose - 2013-03-22
Well, I think CAPTCHAs suck and are fairly useless. Can we secure it some other way?
RE: brute force protection captchas - shawn_a - 2013-03-22
how so ?