Good evening ! There is such a difficulty or problem ....

1) There is a site, no matter which site is "Z", where you can enter the password endlessly, that is, to sort out the password, and you need ways to achieve this goal.

2) The same site is "Z", now the task, on the contrary, needs brute-force protection. I thought that after 3 wrong ones, a query pops up with a captcha or a 2 + 2 type puzzle? .

But the main question is to find out what types there are implementations or simpler methods for task number 1.

  • one
    substitute random fields (including hidden ones), when prompted to check which data is entered. For task number 1, look for bruteforce. - lampa
  • Yeah, and such a thought was. I do not know how it can work directly on the site, I do not understand how they work. - Goldy

2 answers 2

2 Offhand:

  • Blocking by IP after entering a certain number of incorrect password values ​​(with a competent implementation, in addition to scripts, a firewall is used, similar to iptables). [Bypass using socks]
  • Blocking by cookies (including cookies that cannot be deleted, or even simple flash cookies)
  • Blocking by the number of attempts to enter the wrong password, at the time or on the event.
  • Various options for the implementation of the Turing test
  • The combination of these methods.

1 Select a server on the same local network as the host with the site to reduce the response time. Options for the implementation of bruteforce may vary depending on the limits for min and max password lengths, allowed characters in the password, letter case, network bandwidth, fault tolerance / error handling access to the site page, etc.

1a Use alternative methods of accessing the site (hack, social engineering, troy).

  • Hacking is punishable, cunning and networking would certainly be cool, to get into the role of Mitnick)

did not understand the complexity of 1 point?

on the 2nd, I would do this: the user in the table would add fields: 1 — which would be responsible for the login attempt. 2 - block input.

Principle. For example, the user is given 3 attempts to enter without punitive measures, then if 4 attempts failed, we block the account, for example, for 5 minutes, if after that we failed again - a block for 20 minutes and so on. And when the user logged in - do not care which attempt - then reset the field of login attempts.

  • Something like passwords on the iPhone will turn out, also an idea, thank you. about the first, I have never done this, and for the experience I want to know how it is done, how it is used, the tools. I understand that now there are few such sites, without protection from infinite input, but I am very interested. - Goldy
  • I understand that now there are few such sites - it’s controversial) it seems to me the other way around)) it’s just that no one bothers, protection should be commensurate with the cost of the information being protected. - Ale_x
  • Well, I do not visit such sites, but the task itself as an experience is very interesting. - Goldy