increasing time delay for login to stop bruteforcing, good idea?

php passwords sleep password-protection brute-force
ganjan picture ganjan · Jan 27, 2011 · Viewed 7.9k times · Source

I have set up my db to log every failed login attempt. I thought I would multiply the number of failed attempts with 0.05 seconds or something. Something like:

            time_nanosleep(0, (50000000 * $failed_attempts ) );

More attempts a hacker uses to guess a password, more time does it take to check every time. After checking a 100 passords he must wait 5 sec between each try.

Is this a good way to stop bruteforcing? I identify the users by IP. So I guess you can bruteforce the application by using multiple proxy servers or something, but besides that, I think is a good idea. What do you guys think?

Answer

Greg Buehler picture Greg Buehler · Jan 27, 2011

What about something like:

time_nanosleep(0, (10000000000 * (log($failed_attempts)^10)) );

This will give you an exponentially increasing attempt window.

Related questions

How to log in to phpMyAdmin with WAMP, what is the username and password?

What does the word "root" mean in phpMyAdmin? Whenever I write localhost/phpmyadmin on the address bar, I am asked to enter a username and a password, but I don't know what they are. I don't remember when and where …

Read More
encrypt and decrypt md5

I am using code $enrypt=md5($pass) and inserting $encrypt to database. I want to find out a way to decrypt them. I tried using a decrypting software but it says the hash should be of exactly 16 bytes. is there …

Read More
How do you use bcrypt for hashing passwords in PHP?

Every now and then I hear the advice "Use bcrypt for storing passwords in PHP, bcrypt rules". But what is bcrypt? PHP doesn't offer any such functions, Wikipedia babbles about a file-encryption utility and Web searches just reveal a few …

Read More