How to make a timeout when entering a password?

Question

I want to make brute-force protection (“brute force” method) in my PHP system for the Administrator Panel. I already have a CAPTCHA, but it does not protect. I want to make a timeout. Entered 5 times wrong password - rest for 12 hours. The problem is this: it’s just impossible to track a computer, many have dynamic IP, and Cookies are easily deleted. Writing to the database “for all” is also not good: what if someone just wants to play around, and then the administrator will wait a day to wait.

There is, of course, another option: set the timeout after each password entry for 5 seconds, so that to slow down the brute force + you can, after 100 incorrect passwords, send an email to the site owner, saying that they are trying to hack.

What do you think about it?

The “other” option is more like it :) Only you are going to record the number of attempts to the database?
And if so: with 10 unsuccessful attempts, the password is reset and a new one is sent, which is sent to you by email.
And already more than enough to send a signal to the administration.

drdaeman drdaeman 8,605 14 35 · Accepted Answer · 2012-09-04T20:38:32

After the first unsuccessful authorization attempt per hour, “verify” the password for 5-10 seconds before telling whether it is correct. At the entrance, the user throws on the intermediate page “just a minute, we check the password”, which will be updated only in 10 seconds and only then it will be known whether we are logged in or not. I updated the page before - you keep waiting.

To do this on the server, each time you try to authorize:

Check the time of the last failed login attempt. If more than an hour ago - go to step 5.
We remember in the session the start time of the request.
Give the page "please wait", which by all means ( <meta http-equiv="Refresh" ...> , javascript, manual link "update") updates itself.
With each treatment, we look whether 10 seconds have passed since the beginning of the operation. If not passed - see p.3, if not - p.5.
We give the result of the authorization, if successful - log in the user, if not - remember the time of unsuccessful authorization and back to the login form and from it again starting with item 1.

Bruteforce at a speed of less than a dozen passwords per minute will quickly cease to be interesting. The legitimate user will wait their 10 seconds and log in successfully.

I do not recommend any kind of security through obscurity entry type using GET parameters. It will be either not very useful or harmful (the login link will remain in the history of the browser and will regularly pop out with autocomplete — a great thing to show off to guests).

I like your option, I will take note of it, but I will not implement it until it is necessary.
I just wanted to use GET, but not just a static parameter, but a dynamic one that will be created for a while when the system notices brute-force attempts and is sent to the post office.
I use AJAX for login and it will not be convenient to generate a page.
@cheremushkin: Show what and how it is now, and someone will certainly advise what can be done.
I do not see any problems, that the pages give out, that the answers for "AJAX" are all the same, processing HTTP requests.
Simply, instead of answering a successful or unsuccessful entry, provide another answer “you need to wait” and process it from the client side.
Concretely, without seeing concreteness, of course, difficult to say.

Answer 2 · 2012-09-06T01:01:53

Firstly, it is worth making protection from excessively frequent page requests. Secondly, I will offer this option: write to the file or else where user id and picking time and double the timeout for entering the password up to 24 hours.

This method is recommended for Habré but for several other purposes.

Photon photon 2,797 6 eight · Answer 3 · 2012-09-04T17:23:39

Dynamic IP is actually a little fairy tale. In fact, it does not change with every reconnection, even on a dial-up (which, I think, is missing in our time). Plus, you can use a unique key (md5 from user agent, IP, some more data)

Although you can filter not by IP, but by subnet or even an autonomous system number .
But such a “unique key” will allow the brute forcing even the IP not to change, but just to knock every time with the new User-Agent .

ViruSkin ViruSkin 1,257 6 12 · Answer 4 · 2012-09-04T19:16:02

Admin panel are talking? Well, as an option to move the admin panel, i.e. change url, you can leave the old one, but to always write the wrong password. If they bypass the captcha, then change the captcha to a more complex one, for example, sometimes it’s very difficult to read what’s written there. Captcha basically helps from bots, but also from live brutera helps, which in a couple of dozen captchas will give up this activity.

I will generate a special hash code that will be active for a while and will provide a "black entrance" to the admin in order to log in without any problems and block the "main entrance" for a while.

Fangog fangog 687 12 37 · Answer 5 · 2012-09-11T22:45:35

Long wrote such a thing, dig

 session_start(); $time = time(); ### Разрешать запросы # Не чаще чем $max_n = 5; # раз # за $max_t = 10; # секунд if(empty($_SESSION['ban']['time'])){ $_SESSION['ban']['time'] = $time; } if(empty($_SESSION['ban']['rate'])){ $_SESSION['ban']['rate'] = 1; } if($_SESSION['ban']['time']+$max_t < $time){ unset($_SESSION['ban']); echo 'true'; }else{ if($_SESSION['ban']['rate'] > $max_n){ echo 'false'; }else{ $_SESSION['ban']['rate']++; echo 'true'; } }

It protects against the legitimate user in the browser, and does not protect against the real attacker who wants to bust passwords.
The attacker will not provide the session identifier (in the simplest case, it’s rather banal not to accept cookies) and will quietly go through at maximum speed without being limited to anything.
Same for an example> <I threw off that the algorithm was clear, itself rewrote a code for MySQL long ago
And in a user session, like you, it is useless, and even more - is harmful.
Or over IP, for example - it is useful to avoid massive brute-force with one password for a heap of accounts (“perhaps someone, yes“ 12345 ””).
I have sketched in a relatively universal piece of code here .
He only file an array with the times - that attempts to authorize in one account, that with a single IP.

Community spirit ♦ one · Answer 6 · 2012-09-04T19:31:09

And here you can do this: How to protect the admin panel of the site?

That is - an input only by get request. If it doesn’t exist, then let a blank page come out. And so it is not at all clear what it is.

Community spirit ♦

one

atnartur

1,003 five ten

one
What the author just lacks is to shine this link with a GET request containing a login and password in the browser history. It’s difficult to get access from other computers (the form is usually asked to memorize or not), and you should be careful to drive home guests - the autocompet will clear your password easily and naturally. - drdaeman September
Well, if under the private tab? You can also immediately after the authorization to remember in the session and then remove the data from get. - atnartur
Of course, you can still do everything from a separate virtual machine ... but why? And the address, when the admin entered (in one way or another) and went over it, already went down in history, that later there will be a redirect, will not help security anymore. - drdaeman

|

How to make a timeout when entering a password?

6 answers 6

More articles: