Best practice against password-list-attacks with webapplications

Question

Hello,

i'd like to prevent bots from hacking weak password-protected accounts. (e.g. this happend to ebay and other big sites)

So i'll set a (mem-) cached value with the ip, amount of tries and timestamp of last try (memcache-fall-out).

But what about bots trying to open any account with just one password. For example, the bot tries all 500.000 Useraccounts with the password "password123". Maybe 10 will open.

So my attempt was to just cache the ip with tries and set max-tries to ~50. The i would delete it after a successful login. So the good-bot would just login with a valid account every 49 tries to reset the lock.

Is there any way to do it right? What do big platforms do about this? What can i do to prevent idiots from blocking all users on a proxy with retrying 50 times?

If there is no best practice - does this mean any platform is brute-forceable? At least with a hint on when counters are resetted?

Thanks in advance,

Stefan

Answer 1

There was a relatively good article on Coding Horror a few days ago.

Answer 2

Some sites give you maybe two or three tries before they start making you enter a captcha along with your username/password. The captcha goes away once you successfully log in.

Answer 3

I think you can mix your solution with captchas:

1. Count the number of tries per IP
2. In case there are too many tries from a given IP address within a given time, add a captcha to your login form.

Answer 4

While the code is focused on Django there is some really good discussion on the best practice methods on Simon Willison’s blog. He uses memcached to track IPs and login failures.

Answer 5

You could use a password strength checker when a user sets their password to make sure they're not using an easily brute-forced password.

EDIT: Just to be clear, this shouldn't be seen as a complete solution to the problem you're trying to solve, but it should be considered in conjunction with some of the other answers.

Answer 6

You're never going to be able to prevent a group of bots from trying this from lots of different IP addresses.

From the same IP address: I would say if you see an example of "suspicious" behavior (invalid username, or several valid accounts with incorrect login attempts), just block the login for a few seconds. If it's a legitimate user, they won't mind waiting a few seconds. If it's a bot this will slow them down to the point of being impractical. If you continue to see the behavior from the IP address, just block them -- but leave an out-of-band door for legitimate users (call phone #x, or email this address).

Answer 7

PLEASE NOTE: IP addresses can be shared among THOUSANDS or even MILLIONS of users!!! For example, most/all AOL users appear as a very small set of IP addresses due to AOL's network architecture. Most ISPs map their large user bases to a small set of public IP addresses.

You cannot assume that an IP address belongs to only a single user.

You cannot assume that a single user will be using only a single IP address.

Answer 8

Check the following question discussing best practices against distibuted brute force and dictionary attacks:

http://stackoverflow.com/questions/479233/what-is-the-best-distributed-brute-force-countermeasure