Jump to content

Recommended Posts

Im creating a feature on why website where as if a user enters the wrong password 5 times their account is locked for an hour, to prevent people trying 100's of passwords until they gain access, or a bot trying a dictionary attack

 

All seemed well, although I've just thought, any of my members has the potential to lock someone elses account which in turn, stops the genuine member from loggin in

 

I dont think there is a way around this.. maybe there is

 

Is this just how it works, or is there a better way to stop people trying 100s of passwords to gain control of an account / bot doing a dictionary attack

 

Cheers

Link to comment
https://forums.phpfreaks.com/topic/111117-solved-lock-account/
Share on other sites

Add a table with IP / time failed, or a time failed in the user table and check the login against their fail time. You could simply use sessions to store how many times they've failed the password. If you want more security, add a column in the db for it. If >1 hour, let them log back in again.

Link to comment
https://forums.phpfreaks.com/topic/111117-solved-lock-account/#findComment-570207
Share on other sites

Maybe add a CAPTCHA to the password entry screen..

also log the IP and maybe stop that trying any login for an hour (yes i know thats not 100%)

Heh got to it before I could. But yeah a CAPTCHA would make it so auto attack systems wouldn't be able to get through. Or another thing, maybe have an email send to the attacked account (on a lock) saying that they must follow a link or be unable to login for the duration.
Link to comment
https://forums.phpfreaks.com/topic/111117-solved-lock-account/#findComment-570210
Share on other sites

Another thing you can do (if you have their email) is if the account is locked, give them a link to send an unlock link to the email address. Provide them with a unique URL to unlock their account, and then they can log in again.

 

...and then still keep the auto-unlock after an hour part....

Link to comment
https://forums.phpfreaks.com/topic/111117-solved-lock-account/#findComment-570212
Share on other sites

p.s. - CAPTCHAS are a pain in the ass for the user...avoid them at all costs

 

I disagree, if the site is used enough, it should be implemented~

Yeh true, I would love to avoid them at all costs, but avoiding them leaves you open to intrusion or DOS attacks

 

I guess web standards of today must force implementation of captcha's this the script kiddy world of the internet has gone BOT mad

Link to comment
https://forums.phpfreaks.com/topic/111117-solved-lock-account/#findComment-570223
Share on other sites

Sessions won't work..

if the user deletes this cookies or jusr removes the PHPSESSION from the URL, thay can try again

i think rhodesa's solution is best but of course more work..

 

Another thing you can do (if you have their email) is if the account is locked, give them a link to send an unlock link to the email address. Provide them with a unique URL to unlock their account, and then they can log in again.

 

...and then still keep the auto-unlock after an hour part....

Link to comment
https://forums.phpfreaks.com/topic/111117-solved-lock-account/#findComment-570225
Share on other sites

p.s. - CAPTCHAS are a pain in the ass for the user...avoid them at all costs

 

I disagree, if the site is used enough, it should be implemented~

 

ok...how about a compromise and making them use a CAPTCHA if they have failed to login a few times for that account?

Link to comment
https://forums.phpfreaks.com/topic/111117-solved-lock-account/#findComment-570226
Share on other sites

I didn't say store the Locked var in the session, I was just saying you COULD store the FAIL COUNT in the sessions, assuming the  user was oblivious. Then, when count reaches X, add the locked status to the database.

 

And I also said, should you want more security, make a table for attempts, or add a col to the users table.

Link to comment
https://forums.phpfreaks.com/topic/111117-solved-lock-account/#findComment-570230
Share on other sites

wouldn't it be better to just update a field in the DB !

 

In my opinion, yes.

 

Simplicity for the original poster, no. :P

If I update it in the DB, that will lock every computer from logging into that account

 

But if I base it on SESSIONS, it will lock  the "attackers" computer out

 

I guess a captcha after 3 attempts is a nice comprimise

 

Thanks again

Link to comment
https://forums.phpfreaks.com/topic/111117-solved-lock-account/#findComment-570335
Share on other sites

But if I base it on SESSIONS, it will lock  the "attackers" computer out

 

Just to point this out.. Sessions will NOT lock the attackers computer

 

Sessions won't work..

if the user deletes this cookies or jusr removes the PHPSESSION from the URL, thay can try again

i think rhodesa's solution is best but of course more work..

 

Another thing you can do (if you have their email) is if the account is locked, give them a link to send an unlock link to the email address. Provide them with a unique URL to unlock their account, and then they can log in again.

 

...and then still keep the auto-unlock after an hour part....

Link to comment
https://forums.phpfreaks.com/topic/111117-solved-lock-account/#findComment-570355
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.