I have a suggestion.

  • Hi!
    Thank you for your efforts on this great plugin.
    I have a question.
    How about making allowed retries rand(?,?) to block brute force attack?
    Random retries can make login attempts difficult for automatic proxy IP attackers, How about it?
    You know, IPs can be changed using public proxy or kind of Tor.
    Thank you.

    Best regards,
    Jen

    • This topic was modified 5 years, 11 months ago by stokim.
    • This topic was modified 5 years, 11 months ago by stokim.
Viewing 1 replies (of 1 total)

  • Random retries can make login attempts difficult for automatic proxy IP attackers

    Not really. At least because the result of a block is just “login failed”.
    Let’s say you’ve chosen the range 3-7 instead of fixed 5. Worst-case an attacker would waste 4 attempts – so what, the system’s not payed by the attacker anyway.

    After some analysis I noticed that many systems try a fixed number of logins. Often saw 2-3 (which is usually not blocked), but also some with 20 attempts although the login had been blocked after 5. Unsurprisingly there seems no sophisticated logic to determine the number.

    Most attacker nets are not brute-forcing anyway, more of random guessing common passwords, so it doesn’t really matter if there are 3 or 7 tries per hit.
    And if you’re facing a targeted brute-force attack via a reasonable botnet, this plugin should not be your only countermeasure and you should rather block the accounts than the originating system.

    IMO not worth playing around with randomness.
    Finally you would have to disable the user notice (“x tries left”) at this point (or add a persistence layer) to not confuse users.

    Cheers,
    Stefan

Viewing 1 replies (of 1 total)
  • The topic ‘I have a suggestion.’ is closed to new replies.