Hi Amy,

I don't fully understand onion routers, but if I understand correctly -- users within a group share, or mix and match IP addresses in order to make back-tracing to one specifiic user impossible. This might be used for hacking attempts, and add more IPs to the mix of ones detected...but don't quote me on that.

I've forgotten my password before and been max-attempted out of trying to login to a site. The user will know they are pushing the envelope. You can also include a way for a user to reset their password to their database-stored email address (only). You shouldn't get too many complaints when the users realize their personal info is safe with you. Also, my little script resets after the time-limit -- on every attempt, not as a batch.

I'm not sure I would use sleep, it freezes the whole script execution and probably will frustrate users. My little example takes number of attempts within a specific time-frame into consideration without using sleep.

As was mentioned, there is no absolute security methodology. There is only your best effort against the hackers. Also, how sensitive is your data that you're protecting -- how tempting is it to advanced hackers? If it is really valuable, I would recommend getting a security specialist on-board, otherwise do your best and get a good nights sleep.

Cheers

To tell you the truth, there is nothing really valuable. What I mean is that pretty much everything that they type into their account gets posted online, except for some small things. They know this in advance. I do not have any credit card info or SS#'s or anything of the such. But my customers are allowed to upload pics and I would just like things to remain clean. I'd hate to get on there one day and see some dirty pics of a blonde doing a midget or something. It just wouldn't be very appropriate, ya know?

I really appreciate everyone writing in, this is a great response! Now if I can just figure out which one would be best...I think I'm leaning toward allowing the user to only have a certain amount of attempts. Is it possible and do you think it would be a good idea to let the user know after each attempt that they only have a certain number of attempts left?

~Amy

Its all up to you. Typically you would not let the user know how many attempts they have left and just display a message after they have locked themselves out, that their account has been locked and will be available in 'x minutes' or if they reset their password or whatever method you choose.

Another reason that you wouldn't let them know, is if you ever decide to change the number of attempts, you might have to change the error message. Also with the hacking thing, this will let them know how many chances they have left to try for this account, before moving on to the next one.

All in all, still a personal preference.

dickersonka makes good points, especially about alerting hackers to how many attempts they have. It would be easy enough to calculate how many attempts within a certain period the hacker has and write a delay in their script to compensate for that.

Of course, 5 attempts every 5 minutes (how it is set now) would only allow 60 possible usename-password combinations an hour, which would take a decade to perform a brute force attack if the password is at all secure.

If you want to show number of attempts, you can do so dynamically by returning the count from the test_attempts function: replace return $allow; with...
...and in your main function after print 'PROCEED'; when you've tested if the username and password match the database-stored values ... if they don't you can display the greater of the current counts...
I didn't test the above snippets, but they should work

Hope this helps

Okay, still haven't tested it but realized a fatal flaw in my logic above...NOT
return ( $allow ) ? $count : FALSE;

For count up

For count down

Or something like this...you might have to play with it some...you just don't want to return a zero (0) count, as that will be interpreted as FALSE. :-)

Cheers

You know, you can implement a system to beat that situation where a hacker is using a specific password with several usernames by just blocking any attempt on that password for the next hour or so. I would create an abuse table or set of tables and abused passwords would be one of them with password, timestamp and attempts as the columns. Just keep it cleaned up with cron.

So there is a way to limit failed login attempts that are either for wrong passwords or for wrong usernames?

Langsor, have you tested the php you posted earlier?

Thanks,
~Amy

Yes I did test the main block after I wrote it, but not in a production environment, so I can not guarantee this in any way without further testing and you will have to rely on your own judgment if you want to use it.

I did not actually test the small additional pieces in my last couple posts though, those were off the top of my head.

Let me know if you have any questions or need any help with this code.

Everything has a solution, you just have to be creative.

Okay, I'm come up with something else, please tell me if you think it would be a good idea or not.

My website is a site where you can go in and post your home online by county. Is it possible to prevent some attacks by making the user put in not only their username and password, but also the county in which they live? I could write the php code to check all of that and if they got it all correct, then they are smooth sailing.

The only problem I worried about running into would be if they didn't spell their county correctly, but I think it would take a real moron to not know how to spell their own county, but then again, I have to expect that, I suppose. Hehe

Since their are over 3,000 counties, do you believe this is a good idea for prevention?

~Amy