Best way to limit (and record) login attempts

security login captcha
Derek H picture Derek H · Feb 24, 2009 · Viewed 13.3k times · Source

Obviously some sort of mechanism for limiting login attempts is a security requisite. While I like the concept of an exponentially increasing time between attempts, what I'm not sure of storing the information. I'm also interested in alternative solutions, preferrably not including captchas.

I'm guessing a cookie wouldn't work due to blocking cookies or clearing them automatically, but would sessions work? Or does it have to be stored in a database? Being unaware of what methods can/are being used so I simply don't know what's practical.

Answer

alex picture alex · Feb 24, 2009

Use some columns in your users table 'failed_login_attempts' and 'failed_login_time'. The first one increments per failed login, and resets on successful login. The second one allows you to compare the current time with the last failed time.

Your code can use this data in the db to determine how long it waits to lock out users, time between allowed logins etc

Related questions

Limiting user login attempts in PHP

I've seen web apps with limitations for user login attempts. Is it a security necessity and, if so, why? For example: you had three failed login attempts, let's try again in 10 minutes!!

Read More
Is it immoral to put a captcha on a login form?

In a recent project I put a captcha test on a login form, in order to stop possible brute force attacks. The immediate reaction of other coworkers was a request to remove it, saying that it was inapropiate for that …

Read More
Removing the remembered login and password list in SQL Server Management Studio

I've recently used our company's spare laptop (that has a general user set up) while mine was being repaired. I've checked the "Remember password" option in SQL Server Management Studio when logging in to the database. I need to clear …

Read More