Posts: 6,266
Threads: 181
Joined: Sep 2011
I want to implement some brute force protection for our logins.
I was thinking we could add a captcha after x many failed logins.
This makes it alot easier to handle than doing throttling delays which can open you up to dos attacks. Also avoid us having to do account locking which also can be a dos against a user.
Anyone have experience with captchas ?
Posts: 3,491
Threads: 106
Joined: Mar 2010
Guestbook, ARGuestbook, p01-contact, Pages Comments plugins use captchas.
Posts: 6,266
Threads: 181
Joined: Sep 2011
Alternative is to lockout and send reset email with timed token link.
I am against time throttles, as it can allow dos attacks to ties up many threads on your web server.
We can implement host blocking but any hacker worth their salt will be using a proxy anonymizer.
Posts: 3,491
Threads: 106
Joined: Mar 2010
Maybe e.g. waiting 2^n seconds to allow logging after the n-th failed attempt?
Posts: 6,266
Threads: 181
Joined: Sep 2011
The wait ties up a thread, an attacker could tie up all 200 threads in a php wait.
Posts: 1,247
Threads: 82
Joined: Feb 2011
I like this one:
http://www.josscrowcroft.com/projects/mo...ry-plugin/
But maybe that's not the info you want..
Posts: 687
Threads: 63
Joined: Nov 2011
2013-03-22, 03:58:18
(This post was last modified: 2013-03-22, 03:58:38 by shovenose.)
Well, I think CAPTCHAs suck and are fairly useless. Can we secure it some other way?
Posts: 6,266
Threads: 181
Joined: Sep 2011