Shopies
asked on
Brute force program
Hi Experts,
A hacker is using a brute force program on my website trying to steal my users accounts. He managed to do so because some of them used a very simple passwords like 123456. My question is : What is the best way to prevent or stop that program from keep guessing the passwords? Or how to stop that attack?
I'm using PHP scripting my website and the login form is in the homepage.
Best regards,
A hacker is using a brute force program on my website trying to steal my users accounts. He managed to do so because some of them used a very simple passwords like 123456. My question is : What is the best way to prevent or stop that program from keep guessing the passwords? Or how to stop that attack?
I'm using PHP scripting my website and the login form is in the homepage.
Best regards,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If the hacker uses automation software its also easy to just put a captcha or similar in the page, as most hackers arent able to even defeat basic captcha.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ANother idea might be to introduce strong password, so the user is required to have like 8 characters and at least one number in the password. These cant be bruteforced easily, as this already makes it many many million possible combinations and it would take him years to crack a single one.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if you are seeing more than a certain number of failed logins from a single IP address, deny from that IP - its going to be less disruptive than blocking users, and more effective (given a bruteforcer who finds user a locked out will just move on to user b)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey guys,
Honestly this was the richest topic ever I got. I have found a lot of solutions and I could apply some of them together. I started adding the captcha and a field with failed_attempts ...
Thank you all
Honestly this was the richest topic ever I got. I have found a lot of solutions and I could apply some of them together. I started adding the captcha and a field with failed_attempts ...
Thank you all