Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
brute force protection captchas
#1
I want to implement some brute force protection for our logins.

I was thinking we could add a captcha after x many failed logins.

This makes it alot easier to handle than doing throttling delays which can open you up to dos attacks. Also avoid us having to do account locking which also can be a dos against a user.

Anyone have experience with captchas ?
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#2
Guestbook, ARGuestbook, p01-contact, Pages Comments plugins use captchas.
Reply
#3
Alternative is to lockout and send reset email with timed token link.

I am against time throttles, as it can allow dos attacks to ties up many threads on your web server.

We can implement host blocking but any hacker worth their salt will be using a proxy anonymizer.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#4
Maybe e.g. waiting 2^n seconds to allow logging after the n-th failed attempt?
Reply
#5
The wait ties up a thread, an attacker could tie up all 200 threads in a php wait.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#6
I like this one:

http://www.josscrowcroft.com/projects/mo...ry-plugin/

But maybe that's not the info you want..
Reply
#7
Well, I think CAPTCHAs suck and are fairly useless. Can we secure it some other way?
Reply
#8
how so ?
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply




Users browsing this thread: 1 Guest(s)