How to prevent brute force attacks on ajax form submission?

StackOverflow https://stackoverflow.com/questions/4291127

Question

Suppose I have the file login.php.

login.php takes get (or post) parameters username and password and return true if login successful and false otherwise. This way other pages can access it via ajax.

My question is, since this method is vulnerable to brute force attacks, how should I secure this. I'm thinking of making it refuse access unless it is from my own site's form, but how would you go about doing that?

I use jquery to make ajax calls.

Was it helpful?

Solution

Brute force is much harder than you think. If a person is using a bad password, it's their problem. Even a weak password (8 characters) would require 2 years of brute forcing if the attackers can do million attempts every second. You have many options:

  1. Limit the number of login attempts per username per five minutes. This requires a table in your database where you keep the requests and their time for the last 5 minutes, more or less. This has the unfortunate side effect of allowing someone to (D)DoS one of your users.
  2. Limit the number of global login attempts... This is easier but can make DDoS of your entire server easy. I wouldn't do it.
  3. Limit the number of attempts from an IP or from an IP/user. That wouldn't allow an easy DDoS, but it won't stop a distributed brute force attack, so don't bother.

I'd do the following: Require passwords of 10 characters or more. Scream if they aren't strong enough, or are based on dictionary words (but still allow them). Log when there are too many login requests and investigate personally as soon as possible.

All of this happens on the server side, and has nothing to do with AJAX.

OTHER TIPS

I'm thinking of making it refuse access unless it is from my own site's form...but how would you go about doing that

It is impossible to achieve this reliably. You could use some sort of captcha, throttle requests, configure your firewall to drop multiple successive requests from the same IP which will make the attacker job a bit harder.

after 3 requests from the same IP, simply delay each response from your server by an incremental 2 second.

Don't use sessions or any client side mechanism. Just use a temporary table for login request who store IP and number or failed auth, that you use for increment your time. After 15 min without auth attempt from an ip, flush its entry.

With that, brut force can be a "little" tricky for the bad guy maybe the have some years for attempt to access to your site), an it preserve usability for dyslexic like me who can need to re-type his password 4 or 5 time fore the good one without error ^^

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top