Limit login attempts by time and quantity

Asked

Viewed 1,749 times

6

I am working on a login system with php and mysql and this doubt arose, because I do not know if only this can be considered something "acceptable" as another security tool in the login process.

Well to say the idea is to limit the number of attempts on n times within an interval x time. Example: Maximum of 5 attempts every 10 minutes.

At the moment my login table is simple, owning only email and senha.

The idea is to expand to have 2 more columns, one for number of attempts and another for the time when the last attempt was made, thus staying:

email | senha | tentativa | ultima_tentativa

Where at each login I check the 2 criteria

$horario   = date("Y-m-d h:i:s");
$tempo1    = new Datetime($ultima_tentativa);
$tempo2    = new Datetime($horario);
$intervalo = date_diff($tempo1, $tempo2);

if($tentativa < 5 && $intervalo->format('%i') < 10) {
    //Processa o login....
    //Se o login for efetuado com sucesso, o contador é zerado
}

The other alternative (that I did the code structure still) would be similar, but the time for the next attempt would be progressive multiple, ie at each attempt the time interval doubles. Example:

  • Attempt 1 in 30 seconds;
  • Try 2 in 1 min;
  • Attempt 3 in 2 min;
  • Attempt 4 in 4 min;
  • Try 5 in 8 min;
  • and so on

I know it is not the focus of the community, but I would like to take into account the UX side of the login too, I mean, I can not leave the user waiting long in a few attempts (2 or 3), but also can not have a very high interval.

Can the methods presented be considered ideal? Which one would be more appropriate?

Is there any other method I can implement to improve the security of the login process considering this scenario?

php mysql

  • Take a look at the function here checkbrute($user_id, $mysqli): http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

  • @Eduardoalmeida if I understood correctly, it is a part/different function than the idea I proposed in the question, right?

  • Actually, no! The function is separated only because of organization. What it does is check the details of login attempts on the login page. It only counts attempts in a given range, everything else is determined by the login function, including the inclusion of failed attempts in the trial log table.

1 answer

5


I think it would be interesting to evaluate if in your case it would be interesting to implement resources to avoid nonhuman access, ie robots, as for example:

  • CAPTCHA: This feature can be implemented right on the first try, or after a given number of incorrect attempts (particularly, I do not show the captcha just after 3 or 4 incorrect attempts).

  • Checking the number of non-human attempts, for example: 2 attempts in less than 3 seconds would be virtually impossible for a real user. In this case, it may be feasible a direct IP blocking on the firewall, in my case, use lock for a certain period of time (example: 8 hours - this time will vary depending on the reality of the project to be deployed).

  • Force access via HTTPS: the ideal, in my opinion, is to run the whole system on HTTPS (with certified SSL valid). But the LOGIN part, MUST be with HTTPS always, otherwise it becomes very vulnerable.

  • Encrypt passwords with a good HASH.

  • Define and deploy a password policy suitable, because if you take care of everything above and the user puts passwords like: blank, equal to login or the typicals '123', '123456', etc., which is not rare, will play down all your work.

  • Handle data entries to prevent attacks like: SQL INJECTION and Cross-site scripting (XSS), etc..

In my opinion, the great point is to find the balance between security and feasibility of use, because it is no use to leave too safe and unviable for the user, or too practical for the user, but insecure.

  • HTTPS and Hash I’m already using. Password policy I use in part, because I don’t want the user to be too limited in this issue (I try to balance security and UX). Captcha is something I try to avoid by being 'boring' (again, from ux point of view) but it is not something completely discarded. So the question of number of attempts, to try to "replace" the Captcha. Already the part of non-human trial check, I will explore more. And what exactly would be the 'entree treatment' ?

  • Filter the data posted in the form to avoid sql Injection and xss.

Browser other questions tagged php mysql

You are not signed in. Login or sign up in order to post.