How to best count failed login attempts

Report · Jun 14, 2013

If I want to count the number of failed login attempts what might be the best course of action?

Off the top of my head I figure I could:

Have a session variable that counts up to number X
Have a cookie variable
Insert the users IP address into a database table for each failed attempt and when the form loads I check to make sure there aren't X number of strikes in the last 30 minutes.

It seems to me though that each of these can be gotten around. Session can be ended by opening a new browser window, cookies can be dumped and while I don't know how I know users can spoof IP addresses.

So I guess this there another way to do it that is more secure? Granted none of my sites have that much traffic but I want to show that I am taking security seriously.

Also I guess I should ask do people even care about this anymore? Is lockout after X number of bad attempts just an older security standard that is more inconvinient then it is useful nowadays?

Thoughts and opinions are welcome by any.

Report · Jun 14, 2013

The ultimate count should be tied to the user account that is being logged into. In some of my applications I also attach counts to session and IP's but these cannot be relied upon for security. While IP's can be spoofed, it is difficult but it is not difficult or uncommon for someone to use multiple IP's, especially if that someone is a hacker. Another thing to consider with any IP association is that many corporate users as well as household users may share a single IP address, so if you block one, or asociate a count with one, you are associating a count or are blocking all. Lastly a hacker knows how cookies work so a session count would most likely be useless.

Report · Jun 17, 2013

I had actually considered tracking usernames as well but dismissed that early on (and of course I realize now that was foolish of me) thinking that it would be better for overall site security to try and stop someone from repeatedly hitting the site trying different names / password combos. Thanks for pointing out that many people inside a network can have a single external IP I'd actually come accross that with my own office.

Report · Jun 17, 2013

After thinking about this more here is what I'm thinking now.

I have a table that tracks failed login attempts. When such an event occurs I track

The time

Username

IP

CFID

When someone tries to login to the site before it checks for validation it queires the bad attempts table for any of these values that have happened in say the last hour.

If there are say more than 5 attempts in the past hour it denies the logon and explains why.

That way in a hours time they can try again.

Two other things that cross my mind is that I should email the person who's useraccount = repeated failed attempts to let them know someone may be trying to hack their account. Lastly I should probably have another field say a single bit that an admin can flip that causes the attempts to not count. IE if someone actually does multiple bad attempts then contacts an admin to get their account unlocked once they verify they are who they say then allow them to logon without having to wait.

Report · Jun 18, 2013

Two other things I just remembered, only send your "someone is hacking" email once or twice at a specific counts. You don't want to fill someone's email inbox with hundreds or thousands of automated attack email alerts.

Also for us, our users supply an account number, user name and password. For slightly better security we opted to not give detailed info of what failed. Instead we return a generic "invalid account number, user name or password."

Report · Jun 18, 2013

Very good points to remind me of thanks again. I pretty much had that already but it never hurts to be sure.

Report · Jun 15, 2013

Jkensuke wrote:
If I want to count the number of failed login attempts what might be the best course of action?
Off the top of my head I figure I could:
Have a session variable that counts up to number X
Have a cookie variable
Insert the users IP address into a database table for each failed attempt and when the form loads I check to make sure there aren't X number of strikes in the last 30 minutes.

A combination of those might be a good idea. Most hackers are, luckily, amateurs with one-track minds. Create a database table to log failed login attempts. For every failed attempt, log at least the datetime, IP, sessionID, username (which should be unique on your site), reason for failure and failure count.

In a query following a failed login, verify whether the IP, sessionID or username match any in the failed_login table, and, if so, whether the current datetime is within, say, 12 hours of the last failed login. If yes, increment the failure count by 1. If no, insert a new row in the table.

Use client-friendly messages to inform your visitors why their login fails. Study failed logins for common patterns. It just might be that you are the culprit, and that you have to improve your login design. There is one good reason for doing all that. Then you will know that those in your failed_login table really had it in for you.

If your site traffic is high, then consider archiving old data. Throw nothing away!

Adobe Community

How to best count failed login attempts