0

I'd like to show a CAPTCHA to prevent brute forcing attempts, but I was thinking of showing it whenever a user fails for an invalid username/password combination after X attempts, regardless of whether that user exists in the database or not.

The thought was that if a user did exist, then all an attacker would have to do is record which username combinations (after X attempts) displayed CAPTCHA vs did not (and thus based upon that, I can get all of the e-mails out of the database).

So therefore I'd show the captcha after x attempts regardless.

now, to keep track of that, I guess I'd need a database table that literally saves whatever input the user typed in, but does that seem somewhat excessive?

that someone could try test@test.com in one country, and in another, etc, and then one person ruins it for everyone to see captcha.

I could also try it by test@test.com + IP address (so only if you tried X times with a bad username/password combo from your current IP that it would show the CAPTCHA).

Do you think I should store IP ADDRESS and use that as the basis of showing a CAPTCHA for an invalid username/password combo? Or should I simply stick to the text used universally for some period of time.

Thanks!

GuestUser101
  • 1
  • I'd use an in-memory database like [Redis](http://redis.io/) to track failed attempts based on their IP address. –  Jul 12 '14 at 18:30
  • With IPv6, getting another, different IP address is as trivial as `ipconfig`. Be careful with address storage: don't expose yourself to a DDOS. – curiousguy Jul 13 '14 at 01:25
  • This is a common problem. There are lot of online captcha services available, which will de-risk this. If there is multiple attempts from a system, they will show the captcha else they wont. You don't have to deal with the complexity of storing ip and attempts – Dilip Rajkumar Nov 06 '19 at 16:16
  • One more thing if you are storing the ip you will not be GDPR compliance, – Dilip Rajkumar Nov 06 '19 at 16:17

2 Answers2

1

A couple of things to consider:

  • Do you really want to hide your users' IDs/emails? It's worth considering whether users are likely to forget said username/email. When they forget it, a login form that says "id or password incorrect" is terribly frustrating. Think about how often your users login, and whether you send them any paper bills or letters they're expected to store (in which case you can print a user ID on them).
  • Blocking a specific ID/email for a while after e.g. 10 failed attempts is necessary to prevent online brute-forcing, indeed. If you already let actual users reset their passwords via email, remember to warn them of a bruteforce via email (including a link to re-enable their account) so if they need to login they can.
  • Not serving a CAPTCHA systematically is critically important. Legitimate users get up to 40% failure rates on CAPTCHAs (citing internal sources in my research group, but I have no URL to back this up, sorry!). Serving CAPTCHAs to an attacker targeting a specific ID is probably not useful because you can just lock up the account and warn the user.
  • Serving CAPTCHAs per IP can be useful to block people trying common passwords for many email addresses. Consider whether you have a large user base located in a university or large corporation that share an IP address, though. If you need to display a CAPTCHA then tell the users that this is because of large traffic from their IP address.
Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
  • Thank you for your helpful response. Most of my users will be on personal computers - therefore you'd say it's best to do this by IP address? – GuestUser101 Jul 11 '14 at 17:28
  • First, block (smartly) repeated attempts on the same account. Second, do block IP addresses that fail too often (but put a large enough limit; sometimes you need to try multiple IDs because you forgot which one is yours, hence if your system doesn't tell me if it's the ID or the password that's wrong the limit should be high enough). – Steve Dodier-Lazaro Jul 11 '14 at 19:02
0

Using CAPTCHA will not necessarily stop someone from brute-forcing user accounts. It just adds another hurdle to get over. Once the attacker develops an automatic way to answer the CAPTCHA correctly, then they will continue brute-forcing.

There are several ways to prevent brute-forcing attempts against user accounts, but I believe the most effective approach is user lockout. Providing a user five attempts to login, and then offering them the opportunity to have their password reminder or reset password link emailed to them is acceptable. Once the attacker realizes his attacks are failing after only five attempts, he will most likely move on to an easier target.

Alternatively, if you're not really trying to stop brute-force attacks, but are trying to figure out who is attacking you, then yes, you would want to track and store the information related to the attacks.

ap288
  • 56
  • 2