Do I need to protect login?_问答_开发者_运维开发者技术经验分享

I have login page. Do I need to protect it with Captcha or how should开发者_开发技巧 I handle it?

For example, if person knows an username, he can use curl or whatever and try to guess passwords many times. It will use many MySQL queries and it will eat my resources.

So, should I use Captcha for login? Or maybe I should store how many times person tried to guess the password with $_SESSION and if he guessed 10 times password wrong, then I would show Captcha? Is it safe to use such a information in $_SESSION? Maybe I should allow person to enter login only every 10 seconds also with $_SESSION? Would it be 100% safe? Or what would you suggest me?

EDIT: Please read my comment under Eljakim's post.

Don't go for the session approach.

A captcha may help, but it will annoy your normal users.

You may wish to keep track in your database of how many invalid logins have been tried from a specific IP-address or a specific username within (say) the last 10 minutes. If it goes over a specific threshold, just block that username or IP-address for a while.

Don't do this in the session! An attacker will probably not send the cookie that supports the session, or can just spoof them.

3 things:

Use Recaptcha (run by google) More info HERE
Do allow only certain number (10) of login attempts per hour from a unique IP address before timing out for say an hour or two.
Set a cookie when a successful login happens, and don't show the Captcha if the user has this cookie to not annoy regular visitors.

This will take care of all of the hacking attempts. Based on your traffic and how many hacking attempts you receive, you might want to play with the numbers.

Personally I would not opt for a Captcha to handle multiple failed login attempts. Instead, you can keep a counter in your database and increment it on each unsuccessful login attempt. When you reach your determined number of failures (5 or 10 or whatever), you can create a lockout period or ten minutes in your database during which you won't accept logins from that user.

This protects your users from password brute-forcing. $_SESSION will not be effective here, because the tools used for brute-forcing won't likely accept or honor session cookies.

Might I suggest adding a call to sleep() to add some extra frustration for login loaders?

Even a mere two seconds of sleep will cumulatively add to the level of time needed to mount a brute-force attack like you are describing.

DO not worry about your mysql queries, but worry about user's password. Insert line to DB everytime user tries to login (and fails) and select these lines everytime he/she tries to login again) if login attempts > 5 -> restrict to login

You can have multiple layers of security here. One option would be to only allow, say, 5 login attempts every X minutes. This will stop most brute forcers. (You can also ban known brute forcers via IP or whatever) Adding a CAPTCHA would obviously be even more help. After however many wrong tries, just display an obscured image using some of PHP's image features, for example. The more features you add, the safer. Do note though that a CAPTCHA is a hassle for many legitimate users.

It is not really safe to store the try-count in $_SESSION. If I am not accepting your cookies in my bruteforce-script i will get a new session for each request.

If you are trying to prevent any kind of DOS attacks: Limit the amount of requests per IP to an adequate amount per time interval.

If you are just trying to prevent bruteforcing passwords: Use captcha or store the count of failed logins in your DB. (Maybe block a User after 3 failed attempts for an hour or so?)

I allways choose one of two options, either pin code like - three failed password, and you email the user a new password. Or, have a cooldown periode of 2^(failed logins - 5) - will very fast give huge delay. Ie. 7 failed will give 2^(7-5) = 4 secs delay aso.