• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 675
  • Last Modified:

Brute force program

Hi Experts,
A hacker is using a brute force program on my website trying to steal my users accounts. He managed to do so because some of them used a very simple passwords like 123456. My question is : What is the best way to prevent or stop that program from keep guessing the passwords? Or how to stop that attack?

I'm using PHP scripting my website and the login form is in the homepage.

Best regards,
0
Shopies
Asked:
Shopies
6 Solutions
 
marchentCommented:
If for any user, more than 5 consecutive wrong password, just lock the user account, and send an email to the user about account lock.

Also you can use captcha at your login form to block bruteforce attack.

A funny thing can be done too. If you see 5 login attempt failed, just take him to the page at dummy user. So that hacker will know he cracked the passsword, but actually u fooled him.

You can block the access from your .htaccess for hitting too many times from same IP.

Actually it depends upon how you want. So many things can done.
0
 
kyodaiCommented:
Make an additional database field for "FailedAttempts", counting failed logins. If the failed login number exceeds a specific threshhold just deny login for the account. Clear the field like every 24 hours? If hes trying loads of users then also record his IP address in a field (If its a forum or so you already do that in most cases, its standard in forum software). Then like block that ip address from login completely if it has used a wrong password for like 5 attempts.
0
 
kyodaiCommented:
If the hacker uses automation software its also easy to just put a captcha or similar in the page, as most hackers arent able to even defeat basic captcha.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
viju2008Commented:
SOLUTION 1  :  Ask people to keep strong password

SOLUTION 2  : Make your login page such that if some types the password wrongly more than
                             10 times  his id should be locked for a specified period.
                            ( this might lead to a DOS , the hacker might then lock all ids , but still the chances of him breaking the login is less)

SOLUTION 3:  WRITE PHP CODE TO GET THE IP OF THE ATTACKER and then ban those IPs

SOLUTION 4 ; ( dont know wheter ur users will like it)

                              KEEP YOUR LOGIN SUCH THAT AFTER LOGIN it asks a secret question too
                          the hacker surely wont be able to gues that  easily

BEST SOLUTION IS :
use what google and yahoo has done

F SOME ONE ENTERS A WRONG PASSWORD MORE THAT THREE TIMES  THEN A
CAPTHA is required to be entered . captcha is a dynamically entered verification code
u will get it for free on the net , if u dont get then ask

THE CAPTCHA as well as the userid and pwd should match then only the user logs in
THIS IS THE ONLY PROVED SOLUTION against brute force
0
 
kyodaiCommented:
ANother idea might be to introduce strong password, so the user is required to have like 8 characters and at least one number in the password. These cant be bruteforced easily, as this already makes it many many million possible combinations and it would take him years to crack a single one.
0
 
Pantalaim0nCommented:
A username/password combination is always harder to bruteforce than just a password by itself.

You could block access for a few hours for a particular account or IP address after 3 failed password attempts.

But the best way is to inform your users to choose a stronger password, at least a combination of letters and numbers
0
 
shobinsunCommented:
Hi,

enabling account lock out after 3 bad password attempts stops brute forcing in its tracks , set the account to either unlock automaticly after 60 mins or have it set so that only the admin can unlock it.

For more about that:

http://www.continuitycentral.com/feature0429.htm

http://forums.digitalpoint.com/showthread.php?t=387473

http://www.webhostgear.com/240.html

Regards.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
if you are seeing more than a certain number of failed logins from a single IP address, deny from that IP - its going to be less disruptive than blocking users, and more effective (given a bruteforcer who finds user a locked out will just move on to user b)
0
 
striker46Commented:
Restricting login attempts to for instance one every 15 seconds can also deter most of people trying such attacks, because the time required for succeeding increases importantly.
0
 
ShopiesAuthor Commented:
Hey guys,
Honestly this was the richest topic ever I got. I have found a lot of solutions and I could apply some of them together. I started adding the captcha and a field with failed_attempts ...
Thank you all
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now