Re: [phplib] Disallowing infinite incorrect passwords From: Roundeye (roundeye <email protected>)
Date: 04/27/00

* Max A. Derkachev (kot <email protected>) [000427 01:42]:
> MRC> If I understand the way PHPLib is currently written, a user can try
> MRC> infinite times to guess a password. Has anyone written any code to
> MRC> prevent this?

> Well, I guess this could be done, but the conditions would be very
> restrictive. How do You intend to catch a user (I mean a real world user
> - a human - not a login) who's trying to crack someone's password? The
> only thing possible is setting up a cookie for that purposes, which
> will contain the number of tries, and the expiration time. But if the
> user doesn't allow cookies, it won't work. It also won't work if he deletes
> the cookies from his hard disk. Without a cookie You can't identify
> the user for sure. Don't rely on IPs.

It should be straightforward to modify your login code to store and
use a "last attempt(s)" information on a per-account basis -- I think
the original poster's goal was to prevent password-guessing on a
single account. It doesn't matter is it's a distributed attack (which
would escape even cookie attempts if done right), just count the number
of times logins are attempted within a short time span.

Here's an algorithm, comments of course very welcome. Say your limit
is 3 login attempts to the same account within a minute, and after
that logins are disabled for 2 additional minutes (hey, this is my
hypothetical scenario :-):

- Make a column in auth_user(?) for "login_time" and "login_attempts"
and initially set both to NULL for a new account

- when a login attempt is submitted:
(*) - if login_time is null:
    - if the username/password is correct:
      - log in the user
      - exit
    - if the username/password is incorrect:
      - set login_time to the current time
      - set login_attempts to 1
      - exit
  - if login_time is not null:
    - if login_attempts < 3:
      - if login is correct:
        - log in the user
        - set login_time to null
        - set login_attempts to 0
        - exit
      (else)
      - if current_time - login_time > 1 minute:
        - set login_time to current time
        - set login_attempts to 1
        - exit
      - if current_time - login_time <= 1 minute:
        - increment login_attempts
        - exit
    - if login_attempts >= 3
      - if current_time - login_time > 3 minutes (1+2)
        - set login_time to null
        - set attempts to null
        - go to (*) above
      (else)
        - increment login_attempts
        - exit

Yeah, I know I probably could've hacked the php/phplib code to do the
same thing, but I think the description of the algorithm is less
likely to have important typos, and makes the implementor think more
about the implementation than if I had posted the code (plus, I'm
lazy).

Does this appear to be the right way to do this?

roundeye 

-- 
                                Rick Bradley -- www.roundeye.net

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>