[thelist] Prevent dictionary attacks on passwords

Bill Moseley moseley at hank.org
Tue Jul 24 11:04:15 CDT 2007

On Tue, Jul 24, 2007 at 08:43:26AM -0700, Anthony Baratta wrote:
> I would log on failures the requesting IP and a time-stamp. If there
> had been X number of failures over x number of seconds I would
> "block that IP" for X number of minutes.

Where would you store and access that information?  I was thinking of
Memcached, but that opens up a way for an attacker to fill my cache.

I might need to alter the login API so that I can tell if the failure
was due to a bad email address or just the wrong password for a vaild
email.  That way I'm not tracking accounts that do not exist.

> Dictionary attacks are normally fast and furious, not slow and
> deliberate so setting your threshold to 3 failures in 5 seconds
> would be a good start.

Yes, that makes it easier.  I can just increment a counter for an
address if its timestamp was within the last few seconds, otherwise
set it to one if longer than five seconds.  And if the count gets
large then lock the account.

Bill Moseley
moseley at hank.org

More information about the thelist mailing list