FuelPHP Forums

Vanitas

Hello. In my app after reaching 5 wrong login attempts in 15 minutes per one account, this account is being blocked for another 15 minutes...
My question is how / or should I even provide some mehanism to unblock account earier (or login earier with additional data)?
In my system both login and password are known only by the user but still there is a risk that someone's account might be blocked all the time because of some bots.
What about 'unblock account via email'? User need to enter his email and login and if those are correct he gets email with 'unblocking link'. Or account will be still blocked for 15 minutes but in the link will be one GET parameter which allows specyfied user to login without limitations (only once ofc.).
Another thing is some two factor authorization / one time passwords. Lets say that user can decide to use Mobile-OTP or something to login. User with that option enabled can use it to login without limitations.
With 'no limitations' I mean one login attempt / 10secs.
Do you have some ideas?

Haskabab

Harro Verton wrote on Tuesday 3rd of January 2012:

A big downside of blocking accounts is that you effectively create a wonderful denial-of-service opportuntity. Hacking attempts will block your legitime users from login in. Any way of circumventing the block also means the hacker can use that, so that won't do much.

If you block the IP of the person who's trying to login you won't have that problem. Since the blocked IP probably isn't the legit user. And if it is the legitimate user, he or she probably forgot their password and they should be able to recover their password through an email. If you think that maybe the user's email could have been hacked you could compare the IP addresses of the user that's recovering the password and the ip that's been stored when the user signed up for an account. If they don't match you could tell them to go on the computer on which they've signed up or if that's not possible they could request a password change manually or something which you as admin have to approve. But that's not very user-friendly.

WanWizard

Proving my point that you have to think very careful about what functionality you build for what problem. Proper research and design is key, as always...

WanWizard

It entirely depends on the application and the user base. A big downside of blocking accounts is that you effectively create a wonderful denial-of-service opportuntity. Hacking attempts will block your legitime users from login in. Any way of circumventing the block also means the hacker can use that, so that won't do much. Maybe ask the user to give five questions and answers that he/she only knows, and ask those questions at an online reset of the block? You could also opt for an external authentication service, like openid of something oauth based. OTP's is only interesting if you are in a corporate context in which such infrastructure is available.

Vanitas

I think as long as login is secret in the same way as password is (except hashing) 'denial-of-service opportuntity' is not so great.
However it would be nice to have some anti-DOS (just still be able to login dispite blockade), without it users can get quite unhappy :p (as well if anti-DOS will require much more work to do by user)

WanWizard

I don't understand that statement. If you block a login for say 15 minutes after 3 failed attempts, all I have to do is enter the username and type rubbish as password three times. After which the original user can't login anymore. I call that a denial-of-service attach, since the legitimate user is denied the service...

komita1981

Did you include users IP adress? Do you want to block username or you want to block certain username from certain IP?

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.

Howdy, Stranger!

Categories

In this Discussion