2009-06-18 16:06:25

Hello all!
Here at Bagel_Blog, we have always had difficulty with a good solution to brute forcing on login pages.

For those of you that don't know, Brute Forcing means that a hacker or, more likely script kiddie, will use a program to comprehensively try every possible username/password combination. (a, b, c...aa, ab, ac, ad...).

These are very difficult from a programmers perspective because you need a few important points in a log in script:

1. A realistic number of wrong password tries allowed before getting locked out.
2. A way to unlock the log in for your account if you break this limit.
3. A secure way to reset a forgotten password

There are several current solutions to this problem. For one, a captcha has to be solved if you try the wrong password several times.
The problem is that most captchas are breakable. Lots of them are. And if one becomes popular, it will become breakable.

While captchas will slow down a brute forcing attempt, all it takes is time.

Another way to do it is the administrative lockout, meaning that after a large number of wrong attempts, the user has to call/email/submit a request to get it unlocked by an administrator.
While I use this for an absurd number of bad tries in a short time (1000+ in one hour), often this is abused.

My solution is much simpler.
A delay.

The biggest enemy of brute forcing is time.

If I add even a 1.5 second delay on a wrong password attempt, most brute forcing attempts will simply quit.

I currently use a system on the Bagel_Blog posting system that only allows one user to view the login page at one time, so there is no risk of distributed attacks (several thousand hacked computers brute forcing at the same time).
This is a problem for public pages, so I am working that problem right now.
I'll let you know when I get that up and running.

So, to summarize.
In order to protect a public login page from brute forcing:

1. Add a delay on wrong attempts. I say 1.5 to 3 seconds. (in PHP sleep(2) for two seconds)
2. Have an administrative lockout feature as a back up. I'd say more than 1.000 bad attempts in one hour warrants an administrative lock out.
3. Set up a captcha for more than 3 bad tries. I know I said this was not prefect, but it can repel the majority of script kiddie tools, and can help a lot.