1

I am currently building security into a website. So far, I have the following rules, and am wondering if this seems sufficient.

  • 5 failed login attempts for a particular username will cause that account to be locked for 1 hour

  • The number of failed login attempts by IP address will be stored in the server cache. If an IP address has 2 failed login attempts within a 2 minute period, then a Captcha (Google Recaptcha) will be shown which must be filled in before they can re-attempt another login.

  • The 2nd and subsequent failed login attempts would be recorded in the database (IP address, username attempting to login as, and timestamp)

  • If an IP address exceeds 30 failed login attempts, then the login page would be blocked for that IP address for 2 minutes (eg via Response.End()). I want to slow down brute force attacks, but also still allow large companies/institutions/universities/etc that may have many users behind a single IP address to still be able to login even though there may be several failed logins for completely different users within a short amount of time.

  • Log tables could be reviewed periodically to enforce more permanent bans, eg at the firewall level.

Does this sound like an ok strategy, or could there be any improvements?

GRA
  • 11
  • 2

2 Answers2

4

That is certainly a strategy which can add security - but as to whether it is appropriate or not is impossible for us to say without knowing your requirements.

For example: if you have a key requirement for your users to have access, then lockouts can be a bad idea - Denial of Service is a risk - so you may want to think about progressively longer delays instead.

Also, have you thought about concurrent logins? You might want to allow users to login from multiple locations, but if not, enforce logout of previous session when a login occurs from a new IP. Or for an even more advanced solution, if one login is from a US IP address inthe morning, a login from an African IP address in the afternoon could flag up as unlikely to be legitimate.

Always work out your particular needs - access, user security, location etc. and build your security to meet those needs.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Yes, progressively longer delays is a good way, otherwise everybody can block a user from access, simply by making a couple of wrong logins. The delay is not necessarily a long period, even short delays will make brute force attacks unrealistic. – martinstoeckli Apr 08 '12 at 19:24
1

This sounds good to me, but you it might be a little overkill. For 1), you probably don't need to lock out for an hour. 30minutes would probably be enough to prevent brute force attacks, and it won't harm usability as much for the occasional user that goes over 5 wrong logins

Next, forcing Captcha and IP database logs after just 2 log in attempts is probably overkill. It's fairly common to get your password wrong once or twice, so forcing a Captcha after the first one will probably get annoying. Also, logging all these failed log ins will create too many false positives, making your table much less useful. Consider raising 2nd log in to something higher.

Oleksi
  • 4,809
  • 2
  • 19
  • 26
  • I use a password manager, I never get my password wrong, I want to be challenged right away if its wrong. – Ramhound Apr 09 '12 at 17:59
  • You do, but most of the users probably won't. Also, there is next to no security benefit from challenging after the first failure instead of a little later, however there is a usability cost. – Oleksi Apr 09 '12 at 18:31