Skip navigation
Jkensuke
Currently Being Moderated

How to best count failed login attempts

Jun 14, 2013 4:59 PM

Tags: #security #login_attempts

If I want to count the number of failed login attempts what might be the best course of action?

 

Off the top of my head I figure I could:

  • Have a session variable that counts up to number X
  • Have a cookie variable
  • Insert the users IP address into a database table for each failed attempt and when the form loads I check to make sure there aren't X number of strikes in the last 30 minutes.

It seems to me though that each of these can be gotten around. Session can be ended by opening a new browser window, cookies can be dumped and while I don't know how I know users can spoof IP addresses.

 

So I guess this there another way to do it that is more secure? Granted none of my sites have that much traffic but I want to show that I am taking security seriously.

 

Also I guess I should ask do people even care about this anymore? Is lockout after X number of bad attempts just an older security standard that is more inconvinient then it is useful nowadays?


Thoughts and opinions are welcome by any.

 
Replies
  • Currently Being Moderated
    Jun 14, 2013 5:18 PM   in reply to Jkensuke

    The ultimate count should be tied to the user account that is being logged into. In some of my applications I also attach counts to session and IP's but these cannot be relied upon for security. While IP's can be spoofed, it is difficult but it is not difficult or uncommon for someone to use multiple IP's, especially if that someone is a hacker. Another thing to consider with any IP association is that many corporate users as well as household users may share a single IP address, so if you block one, or asociate a count with one, you are associating a count or are blocking all. Lastly a hacker knows how cookies work so a session count would most likely be useless.

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 15, 2013 2:57 AM   in reply to Jkensuke

    Jkensuke wrote:

     

    If I want to count the number of failed login attempts what might be the best course of action?

     

    Off the top of my head I figure I could:

    • Have a session variable that counts up to number X
    • Have a cookie variable
    • Insert the users IP address into a database table for each failed attempt and when the form loads I check to make sure there aren't X number of strikes in the last 30 minutes.

    A combination of those might be a good idea. Most hackers are, luckily, amateurs with one-track minds. Create a database table to log failed login attempts. For every failed attempt, log at least the datetime, IP, sessionID, username (which should be unique on your site), reason for failure and failure count.

     

    In a query following a failed login, verify whether the IP, sessionID or username match any in the failed_login table, and, if so, whether the current datetime is within, say, 12 hours of the last failed login. If yes, increment the failure count by 1. If no, insert a new row in the table.

     

    Use client-friendly messages to inform your visitors why their login fails. Study failed logins for common patterns. It just might be that you are the culprit, and that you have to improve your login design. There is one good reason for doing all that. Then you will know that those in your failed_login table really had it in for you.

     

    If your site traffic is high, then consider archiving old data. Throw nothing away!

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 18, 2013 7:08 AM   in reply to Jkensuke

    Two other things I just remembered, only send your "someone is hacking" email once or twice at a specific counts. You don't want to fill someone's email inbox with hundreds or thousands of automated attack email alerts.

     

    Also for us, our users supply an account number, user name and password. For slightly better security we opted to not give detailed info of what failed. Instead we return a generic "invalid account number, user name or password."

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points