?
Solved

Brute force program

Posted on 2009-04-04
10
Medium Priority
?
668 Views
Last Modified: 2012-05-06
Hi Experts,
A hacker is using a brute force program on my website trying to steal my users accounts. He managed to do so because some of them used a very simple passwords like 123456. My question is : What is the best way to prevent or stop that program from keep guessing the passwords? Or how to stop that attack?

I'm using PHP scripting my website and the login form is in the homepage.

Best regards,
0
Comment
Question by:Shopies
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 13

Accepted Solution

by:
marchent earned 400 total points
ID: 24066547
If for any user, more than 5 consecutive wrong password, just lock the user account, and send an email to the user about account lock.

Also you can use captcha at your login form to block bruteforce attack.

A funny thing can be done too. If you see 5 login attempt failed, just take him to the page at dummy user. So that hacker will know he cracked the passsword, but actually u fooled him.

You can block the access from your .htaccess for hitting too many times from same IP.

Actually it depends upon how you want. So many things can done.
0
 
LVL 11

Assisted Solution

by:kyodai
kyodai earned 400 total points
ID: 24066555
Make an additional database field for "FailedAttempts", counting failed logins. If the failed login number exceeds a specific threshhold just deny login for the account. Clear the field like every 24 hours? If hes trying loads of users then also record his IP address in a field (If its a forum or so you already do that in most cases, its standard in forum software). Then like block that ip address from login completely if it has used a wrong password for like 5 attempts.
0
 
LVL 11

Expert Comment

by:kyodai
ID: 24066560
If the hacker uses automation software its also easy to just put a captcha or similar in the page, as most hackers arent able to even defeat basic captcha.
0
WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

 
LVL 5

Assisted Solution

by:viju2008
viju2008 earned 400 total points
ID: 24066566
SOLUTION 1  :  Ask people to keep strong password

SOLUTION 2  : Make your login page such that if some types the password wrongly more than
                             10 times  his id should be locked for a specified period.
                            ( this might lead to a DOS , the hacker might then lock all ids , but still the chances of him breaking the login is less)

SOLUTION 3:  WRITE PHP CODE TO GET THE IP OF THE ATTACKER and then ban those IPs

SOLUTION 4 ; ( dont know wheter ur users will like it)

                              KEEP YOUR LOGIN SUCH THAT AFTER LOGIN it asks a secret question too
                          the hacker surely wont be able to gues that  easily

BEST SOLUTION IS :
use what google and yahoo has done

F SOME ONE ENTERS A WRONG PASSWORD MORE THAT THREE TIMES  THEN A
CAPTHA is required to be entered . captcha is a dynamically entered verification code
u will get it for free on the net , if u dont get then ask

THE CAPTCHA as well as the userid and pwd should match then only the user logs in
THIS IS THE ONLY PROVED SOLUTION against brute force
0
 
LVL 11

Expert Comment

by:kyodai
ID: 24066568
ANother idea might be to introduce strong password, so the user is required to have like 8 characters and at least one number in the password. These cant be bruteforced easily, as this already makes it many many million possible combinations and it would take him years to crack a single one.
0
 
LVL 5

Assisted Solution

by:Pantalaim0n
Pantalaim0n earned 400 total points
ID: 24066573
A username/password combination is always harder to bruteforce than just a password by itself.

You could block access for a few hours for a particular account or IP address after 3 failed password attempts.

But the best way is to inform your users to choose a stronger password, at least a combination of letters and numbers
0
 
LVL 14

Assisted Solution

by:shobinsun
shobinsun earned 200 total points
ID: 24066581
Hi,

enabling account lock out after 3 bad password attempts stops brute forcing in its tracks , set the account to either unlock automaticly after 60 mins or have it set so that only the admin can unlock it.

For more about that:

http://www.continuitycentral.com/feature0429.htm

http://forums.digitalpoint.com/showthread.php?t=387473

http://www.webhostgear.com/240.html

Regards.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24066742
if you are seeing more than a certain number of failed logins from a single IP address, deny from that IP - its going to be less disruptive than blocking users, and more effective (given a bruteforcer who finds user a locked out will just move on to user b)
0
 
LVL 5

Assisted Solution

by:striker46
striker46 earned 200 total points
ID: 24067301
Restricting login attempts to for instance one every 15 seconds can also deter most of people trying such attacks, because the time required for succeeding increases importantly.
0
 

Author Comment

by:Shopies
ID: 24074909
Hey guys,
Honestly this was the richest topic ever I got. I have found a lot of solutions and I could apply some of them together. I started adding the captcha and a field with failed_attempts ...
Thank you all
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
The viewer will learn how to count occurrences of each item in an array.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question