Block Request for Multiple Unsuccessful Logins for a Period of Time

Block requests after multiple unsuccessful logins

You can't use session, as it requires the client to store a cookie for you, and an attacker is not going to help you out. You will need some global state.

You needn't bother tracking IP addresses, as a bad guy will just use an Anonymyzing Proxy.

Don't use account lock-out unless you have to (PCI requirement), as this just lets the attacker DoS your users.

You also want to avoid DoS-ing yourself by making your server do too much work.

This works:

Upon unsuccessful authentication, store username in global state, along with count. Synchronized count++ if more unsuccessful authentications with that username. I use redis for this.

If count >= threshold, then demand solved CAPTCHA value before proceeding. Show CAPTCHA on login screen.

Upon successful authentication, clear stored username in global state. Give user "trusted user agent" HMAC'd cookie, so they don't have to CAPTCHA in the future for that username on that UA.

You can do the same for passwords, but probably with a higher threshold.

If you don't like CAPTCHA then demand Proof of Work, for example by making the client calculate and submit the prime factors of a very large number.

While you're at it, make sure you are using bcrypt to hash your passwords, and that the cost factor is high enough that it takes >= 250ms to hash a password. This slows down your server but also slows down an attacker. Avoid hashing unless they pass the CAPTCHA (if required).

Encourage users to use long, complicated, memorable? passwords, so that they're harder to brute-force.

Block User IP after 5 unsuccessful login attempts?

You should log failed attempts to a table, when the number of rows in that table exceeds the failed number of login attempts you should display an error message to say the user is locked out.

When the user has regenerated their password, remove the records from the table.

Sorry, just saw your other request for the IP address. In a web application you can use the following property from the HttpContext:

HttpContext.Current.Request.UserHostAddress

how to block user after 3 login attempts?

Add the following two columns to your row:

  • last_attempt as a datetime
  • attempt_count as an int

In your login logic, check these two values, if it's 3 or more and within the time frame (ex: 10mins), then update last_attempt and increment attempt_count, this second part is not necessary but you might want to know this. If it's been more than 10mins, then set attempt_count back to 0 if they pass or 1 if they fail and update last_attempt again.

As a bonus, you now also know the last time the user logged in, which is useful when you want to find unused accounts.

Block login if too many login attempts

I don't know what you mean with "block login" or "end code" but here is one way to signal to calling code if the correct password was locked, or if it should be locked:

import time 

usernames = ("test", "test01", "test02")
passwords = ("test", "test01", "test02")

def username():
    print("Username: ")
    username = input("")
    if username in usernames:
        print("Username Accepted")
    else:
        print("Try Again (10 sec)")
        time.sleep(10)
        continue
    break

def password(n):
    while True:
        print("Password: ")
        password = input("")
        if password in passwords:
            print("Password Accepted")
            return True
         n -= 1
         if n == 0:
            return False
         print("Try Again (10 sec)")
         time.sleep(10)  

username()
if not password(3):
    print("Locked")
else:
    print("Access Granted")

It's best practice, btw, to not reveal if the username is correct. In other words, you read (username, password) then you validate it and tell the user if the combination is correct. Also, I would sleep 0 the first failure, but then make it exponentially worse each on each failure:

Best way to limit (and record) login attempts

Use some columns in your users table 'failed_login_attempts' and 'failed_login_time'. The first one increments per failed login, and resets on successful login. The second one allows you to compare the current time with the last failed time.

Your code can use this data in the db to determine how long it waits to lock out users, time between allowed logins etc


Related Topics

Multiple Insert Statements in One Connection

Spawn a New Thread to Open a New Window and Close It from a Different Thread

Htmlagilitypack and Dynamic Content Issue

Recursive Linq Query: Select Item and All Children with Subchildren

Check a String to See If All Characters Are Hexadecimal Values

How to Check If a Given Value Is a Generic List

What Is Difference Between Regasm.Exe and Regsvr32? How to Generate a Tlb File Using Regsvr32

Instantiating a Python Class in C#

How to Use HTML.Textboxfor with Input Type=Date

Capturing Count from an SQL Query

Reading/Writing from Named Pipes Under Mono/Linux

Standalone Numbers Regex

What Is an Abstract Class

ASP.NET Core Disable Authentication in Development Environment

Fill an Array (Or Arraylist) from SQLdatareader

Is Python Slower Than Java/C#

Ef5 Code First - Changing a Column Type with Migrations

C# Task.Waitall() in .Net and Mono


Leave a reply



Submit