


Recently i read an article is about prevent brute-force attack. It said that automatically disabling user accounts is a poor security mechanism to fight a dictionary attack. In the first place, If an attacker can disable an account by incorrectly guessing its password three times every 30 minutes, he can effectively prevent that user from ever accessing the system. In the second place, because this technique assumes that the attacker is keeping the username constant and varying the password. What if the attacker instead kept the password constant and varied the username? We already know that a large percentage of users use common passwords like "password". A hacker using a dictionary attack could try "password" for each of the users in his username list, which would not only have a high chance of success, but would also evade the account lockout logic. An attacker could make thousands of login attempts, and even if every one of them failed, the system will only register one incorrect login per account.


Can anyone give me some suggestions to make the disable account more secure ?



  1. 您可以保留历史上用于登录给定帐户的IP地址的历史记录.锁定机制可能会有所帮助,但对那些公认的地址要宽一些,以免使用户的不良日子变得更糟.

  1. You can keep a history of the IP address(es) that have historically been used to login to a given account. The lockout mechanism can be helpful, but be a little more lenient on those recognized addresses to avoid making a user's bad day worse.


For the other situation with one IP trying the same password on many accounts, keep track of whether the same IP address has had a number of invalid attempts on different accounts, and lock out that IP for an hour or so.

如果僵尸网络使用许多IP在许多帐户上尝试相同的密码,请跟踪是否有大量IP地址尝试使用相同的密码.如果是这样,请暂时进行设置,以便即使正确,也必须连续两次输入密码. (普通用户只会认为他们输入了错误的密码.)

In the case of a botnet using many IPs to try the same password on many accounts, keep track of whether there has been a barrage of IP addresses attempting the same password. If so, temporarily make it so that password must be entered twice in a row even if it's correct. (Normal users will just think they mistyped their password.)


As mentioned, if an attack is detected, temporarily require a captcha or some other security question (in addition to pretending a valid password was incorrect on the first try). While captcha-reading tools are possible, I don't think they're prevalent just yet, and OCR requires a lot of CPU time.


08-13 20:36