Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
  1. #1
    Regular Coder
    Join Date
    Oct 2011
    Posts
    237
    Thanks
    11
    Thanked 5 Times in 5 Posts

    How do you guys preventing force hacking

    Hi guys,

    i was wondering what is the best way for stopping force hacking through login areas etc.

    At the moment i have a salt and pepper login area which saves the salt in md5, the password in sha256 and pepper is uncrypted random generated numbers.

    So i think that is fairly secure regarding passwords etc

    But as most of you know there are scripts out there that can generate millions of password combos within minutes and force hack a website within seconds sometimes.

    Anyway i was wondering what is the best way of stopping this.

    I was thinking of making it so that if the password is incorrect 3 times then it blocks the access but that would mean clients will be ringing me to make it live again.

    How do you guys solve this?

    Thanks

  • #2
    Regular Coder
    Join Date
    Jan 2012
    Posts
    271
    Thanks
    2
    Thanked 65 Times in 65 Posts
    record failed login attempts and disable the script for the ip address of the visitor for a period of time

  • #3
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,460
    Thanks
    71
    Thanked 102 Times in 101 Posts
    To add on to what jmj said. Have a maximum of 5 login attempts per email or username, and then shut down the login for that account for 30 minutes. Another thing that will stop them is after 3 attempts, make it where they have to fill out a captcha for each attempt after.
    Been a sign maker for 7 years. My business:
    American Made Signs

  • #4
    Regular Coder
    Join Date
    Oct 2011
    Posts
    237
    Thanks
    11
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by myfayt View Post
    To add on to what jmj said. Have a maximum of 5 login attempts per email or username, and then shut down the login for that account for 30 minutes. Another thing that will stop them is after 3 attempts, make it where they have to fill out a captcha for each attempt after.
    i have a captcha in place, which generates random 6 digits from 1-100 and a-z

    But as some will have heard, xbox has recently been hacked by forced entry and they have captchas in place.

    You state about a lock down for 30 minutes, this unfortunately cant happen as the website i am building is for a restaurant with a ordering system which means 30 minutes could mean losing an order.

    Is there not another way?

  • #5
    Regular Coder
    Join Date
    Oct 2011
    Posts
    237
    Thanks
    11
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by jmj001 View Post
    record failed login attempts and disable the script for the ip address of the visitor for a period of time
    not really useful as most hackers use proxy ip addresses so this would not stop a forced entry.

  • #6
    Regular Coder
    Join Date
    Jan 2012
    Posts
    271
    Thanks
    2
    Thanked 65 Times in 65 Posts
    Quote Originally Posted by devinmaking View Post
    not really useful as most hackers use proxy ip addresses so this would not stop a forced entry.
    actually it will....

    a brute force hacker will have access to a limited number of proxies and if you give him only 5 attempts before blocking that proxy ip and he has to change it.. he won't bother with your site anymore, he'll move on to somewhere that let's him blast unlimited attempts at the login...

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    No, flood control seems the best solution.
    There is no reason you cannot provide a password reset AND an unlock feature. Link those both through email control, so if an actual user is to lock themselves out, then can unlock it by following a provided email link. If someone has control over anothers email, then there is nothing you can do there anyway since they can just reset the password directly.
    I wouldn't lock for 30 minutes in the above scenario. I would lock permanently until its unlocked by an administrative user or the user has unlocked it themselves. Give a countdown notice on failed attempts as well, something simple like "You have used 1 of 4 login attempts. Subsequent login failures may result in the locking of this account".

  • #8
    Regular Coder
    Join Date
    Jan 2012
    Posts
    271
    Thanks
    2
    Thanked 65 Times in 65 Posts
    Quote Originally Posted by devinmaking View Post
    i have a captcha in place, which generates random 6 digits from 1-100 and a-z

    But as some will have heard, xbox has recently been hacked by forced entry and they have captchas in place.

    You state about a lock down for 30 minutes, this unfortunately cant happen as the website i am building is for a restaurant with a ordering system which means 30 minutes could mean losing an order.

    Is there not another way?
    you can setup the form receiving script to only allow the $_POST from a specified ip address, eg; your site...

    so when your html form submits to the receiving script it will only accept it if it's from the same or approved site/domain/ip

    someone trying to break in may be sending form data direct to your script and not be actually filling out the form..

    it won't stop all but it may help

    you talk about it being an ordering script for a restaurant, so what are you protecting that people would bother trying to break in?

    if there's stuff in there that need to be protected as well as the ordering then separate the 2 sections and leave the ordering process less strict than the rest of the site

  • #9
    Senior Coder
    Join Date
    Jun 2008
    Location
    New Jersey
    Posts
    2,536
    Thanks
    45
    Thanked 259 Times in 256 Posts
    One thing I'll throw in, as the advice above is the same I'd give...

    Bare in mind, hackers going after the big names (you mentioned Xbox) do usually do the cost/return considerations. Now, don't get me wrong. No site I've built yet has been large enough or presented enough of a target to warrant mass hacking, yet I've gone through putting in the same security measures mentioned above. However, don't over think it either. Sometimes, you just wanna build the best security you can for what you'll face. Unless you think you're the next victim of Anonymous, the above security will suffice. And if a hacker is persistent enough, unless you're a former black hat or a grey hat analyst, you likely won't stop them.

    Its about stopping them the best you can. Someone who's got a PC that can whip out a few million password attempts a second is someone who seems dedicated enough to get through regardless of security in place.

  • #10
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,346
    Thanks
    60
    Thanked 527 Times in 514 Posts
    Blog Entries
    4
    Quote Originally Posted by jmj001 View Post
    you can setup the form receiving script to only allow the $_POST from a specified ip address, eg; your site...
    Exceot that the $_POST data will not come from the sites IP address, it will come from the users

    That said, I do use a similar method to this for one of my scripts, I use a dynamic DNS domain on my home connection. My script performs an IP lookup of that and then checks to see if $_SERVER['REMOTE_ADDR'] matches it. That won't work for large scale user bases though.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #11
    Regular Coder
    Join Date
    Jan 2012
    Posts
    271
    Thanks
    2
    Thanked 65 Times in 65 Posts
    Quote Originally Posted by tangoforce View Post
    Exceot that the $_POST data will not come from the sites IP address, it will come from the users
    You misunderstood me, or I didn't explain it clearly I guess.

    I mean that you use $_SERVER['HTTP_REFERER'] to test where the submissions originate from, this should only be the site/page where the html form is sitting that the visitor fills in and submits.

    Any requests not coming from this one specific page can be blocked.

  • #12
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,460
    Thanks
    71
    Thanked 102 Times in 101 Posts
    Sorry I didn't know it was a restaurant ordering system. I would have changed my advice.
    Been a sign maker for 7 years. My business:
    American Made Signs

  • #13
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by jmj001 View Post
    You misunderstood me, or I didn't explain it clearly I guess.

    I mean that you use $_SERVER['HTTP_REFERER'] to test where the submissions originate from, this should only be the site/page where the html form is sitting that the visitor fills in and submits.

    Any requests not coming from this one specific page can be blocked.
    Referrer is controlled by the client, not the server though, so I could mimic from either no location or from whatever location I want.
    This alone goes to show you how much effort is actually involved in this all. Its a shame that http is stateless, otherwise sessions and logins would be a lot easier than they are

  • #14
    Regular Coder
    Join Date
    Jan 2012
    Posts
    271
    Thanks
    2
    Thanked 65 Times in 65 Posts
    Quote Originally Posted by Fou-Lu View Post
    Referrer is controlled by the client, not the server though, so I could mimic from either no location or from whatever location I want.
    This alone goes to show you how much effort is actually involved in this all. Its a shame that http is stateless, otherwise sessions and logins would be a lot easier than they are
    Hmmm.. never really looked into it before.. you are 100% correct...

    @OP - Please disregard what I said about the http_referrer, it's basically useless

  • #15
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,278
    Thanks
    4
    Thanked 83 Times in 82 Posts
    Quote Originally Posted by devinmaking View Post
    Hi guys,

    i was wondering what is the best way for stopping force hacking through login areas etc.
    These aren't the logins you're looking for. <waves hand>
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •