Is rate limiting a correct way to prevent brute force attacks on CakePHP, or should I use a different method?

Question

I was just finishing up a reset password system, and thought it would be wise to have a limit attempt restriction on the actual reset page (for the token input). I did a few google searches, and I'm finding next to nothing on doing that with CakePHP. Now, I can throw something together, but I like reading up on other implementations because it helps me catch ideas that I might not have thought of, and helps avoid potential security hazards and bugs.

Because I was unable to find anything, it has made me wonder if I am attempting a poor form of security for my application. Is there a reason that this is greatly under covered (ie, is it covered by the security component or something else, a bad way to prevent brute force attacks, replaced by a better method), or is this a good method of protecting my application? Should I be looking at a different way to protect my application?

Thank you!

Answer 1

Implementing a per-user rate limiting is difficult, because the common ways to identify a user (cookie, IP address) can be defeated by an attacker.

A simplistic yet efficient approach could be

sleep(2);

before you return the result of the token check. Such a small delay is acceptable for a legitimate user but will slow down a brute-forcing attacker.

In the case of a password reset token that is generated by the system, making it long enough should not be a problem though. Given enough entropy, rate limiting should not be required to make an attack unfeasible.

As a general guideline about passwords and account security I recommend reading The definitive guide to form-based website authentication (which is not CakePHP specific, though).