Re: [phplib] Disallowing infinite incorrect passwords From: Max A. Derkachev (kot <email protected>)
Date: 04/27/00

Hello Mark,

Thursday, April 27, 2000, 7:46:08 AM, you wrote:

MRC> If I understand the way PHPLib is currently written, a user can try
MRC> infinite times to guess a password. Has anyone written any code to
MRC> prevent this?
MRC> Has anyone written any code that will disable an account after X
MRC> incorrect login attempts?
MRC> Or how about code that will make you wait X hours to attempt to login
MRC> again if you try Y incorrect logins with Z period of time?

Well, I guess this could be done, but the conditions would be very
restrictive. How do You intend to catch a user (I mean a real world user
- a human - not a login) who's trying to crack someone's password? The
only thing possible is setting up a cookie for that purposes, which
will contain the number of tries, and the expiration time. But if the
user doesn't allow cookies, it won't work. It also won't work if he deletes
the cookies from his hard disk. Without a cookie You can't identify
the user for sure. Don't rely on IPs. 

-- 
Best regards,
Max A. Derkachev

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>