Solved

Brute force program

Posted on 2009-04-04
10
662 Views
Last Modified: 2012-05-06
Hi Experts,
A hacker is using a brute force program on my website trying to steal my users accounts. He managed to do so because some of them used a very simple passwords like 123456. My question is : What is the best way to prevent or stop that program from keep guessing the passwords? Or how to stop that attack?

I'm using PHP scripting my website and the login form is in the homepage.

Best regards,
0
Comment
Question by:Shopies
10 Comments
 
LVL 13

Accepted Solution

by:
marchent earned 100 total points
ID: 24066547
If for any user, more than 5 consecutive wrong password, just lock the user account, and send an email to the user about account lock.

Also you can use captcha at your login form to block bruteforce attack.

A funny thing can be done too. If you see 5 login attempt failed, just take him to the page at dummy user. So that hacker will know he cracked the passsword, but actually u fooled him.

You can block the access from your .htaccess for hitting too many times from same IP.

Actually it depends upon how you want. So many things can done.
0
 
LVL 11

Assisted Solution

by:kyodai
kyodai earned 100 total points
ID: 24066555
Make an additional database field for "FailedAttempts", counting failed logins. If the failed login number exceeds a specific threshhold just deny login for the account. Clear the field like every 24 hours? If hes trying loads of users then also record his IP address in a field (If its a forum or so you already do that in most cases, its standard in forum software). Then like block that ip address from login completely if it has used a wrong password for like 5 attempts.
0
 
LVL 11

Expert Comment

by:kyodai
ID: 24066560
If the hacker uses automation software its also easy to just put a captcha or similar in the page, as most hackers arent able to even defeat basic captcha.
0
 
LVL 5

Assisted Solution

by:viju2008
viju2008 earned 100 total points
ID: 24066566
SOLUTION 1  :  Ask people to keep strong password

SOLUTION 2  : Make your login page such that if some types the password wrongly more than
                             10 times  his id should be locked for a specified period.
                            ( this might lead to a DOS , the hacker might then lock all ids , but still the chances of him breaking the login is less)

SOLUTION 3:  WRITE PHP CODE TO GET THE IP OF THE ATTACKER and then ban those IPs

SOLUTION 4 ; ( dont know wheter ur users will like it)

                              KEEP YOUR LOGIN SUCH THAT AFTER LOGIN it asks a secret question too
                          the hacker surely wont be able to gues that  easily

BEST SOLUTION IS :
use what google and yahoo has done

F SOME ONE ENTERS A WRONG PASSWORD MORE THAT THREE TIMES  THEN A
CAPTHA is required to be entered . captcha is a dynamically entered verification code
u will get it for free on the net , if u dont get then ask

THE CAPTCHA as well as the userid and pwd should match then only the user logs in
THIS IS THE ONLY PROVED SOLUTION against brute force
0
 
LVL 11

Expert Comment

by:kyodai
ID: 24066568
ANother idea might be to introduce strong password, so the user is required to have like 8 characters and at least one number in the password. These cant be bruteforced easily, as this already makes it many many million possible combinations and it would take him years to crack a single one.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 5

Assisted Solution

by:Pantalaim0n
Pantalaim0n earned 100 total points
ID: 24066573
A username/password combination is always harder to bruteforce than just a password by itself.

You could block access for a few hours for a particular account or IP address after 3 failed password attempts.

But the best way is to inform your users to choose a stronger password, at least a combination of letters and numbers
0
 
LVL 14

Assisted Solution

by:shobinsun
shobinsun earned 50 total points
ID: 24066581
Hi,

enabling account lock out after 3 bad password attempts stops brute forcing in its tracks , set the account to either unlock automaticly after 60 mins or have it set so that only the admin can unlock it.

For more about that:

http://www.continuitycentral.com/feature0429.htm

http://forums.digitalpoint.com/showthread.php?t=387473

http://www.webhostgear.com/240.html

Regards.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24066742
if you are seeing more than a certain number of failed logins from a single IP address, deny from that IP - its going to be less disruptive than blocking users, and more effective (given a bruteforcer who finds user a locked out will just move on to user b)
0
 
LVL 5

Assisted Solution

by:striker46
striker46 earned 50 total points
ID: 24067301
Restricting login attempts to for instance one every 15 seconds can also deter most of people trying such attacks, because the time required for succeeding increases importantly.
0
 

Author Comment

by:Shopies
ID: 24074909
Hey guys,
Honestly this was the richest topic ever I got. I have found a lot of solutions and I could apply some of them together. I started adding the captcha and a field with failed_attempts ...
Thank you all
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now