Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
951 views
in Technique[技术] by (71.8m points)

security - Throttling login attempts

(This is in principal a language-agnostic question, though in my case I am using ASP.NET 3.5)

I am using the standard ASP.NET login control and would like to implement the following failed login attempt throttling logic.

  • Handle the OnLoginError event and maintain, in Session, a count of failed login attempts
  • When this count gets to [some configurable value] block further login attempts from the originating IP address or for that user / those users for 1 hour

Does this sound like a sensible approach? Am I missing an obvious means by which such checks could be bypassed?

Note: ASP.NET Session is associated with the user's browser using a cookie

Edit

This is for an administration site that is only going to be used from the UK and India

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Jeff Atwood mentioned another approach: Rather than locking an account after a number of attempts, increase the time until another login attempt is allowed:

1st failed login    no delay
2nd failed login    2 sec delay
3rd failed login    4 sec delay
4th failed login    8 sec delay
5th failed login    16 sec delay

That would reduce the risk that this protection measure can be abused for denial of service attacks.

See http://www.codinghorror.com/blog/archives/001206.html


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...