Recently i read an article is about prevent brute-force attack. It said that automatically disabling user accounts is a poor security mechanism to fight a dictionary attack. In the first place, If an attacker can disable an account by incorrectly guessing its password three times every 30 minutes, he can effectively prevent that user from ever accessing the system. In the second place, because this technique assumes that the attacker is keeping the username constant and varying the password. What if the attacker instead kept the password constant and varied the username? We already know that a large percentage of users use common passwords like “password”. A hacker using a dictionary attack could try “password” for each of the users in his username list, which would not only have a high chance of success, but would also evade the account lockout logic. An attacker could make thousands of login attempts, and even if every one of them failed, the system will only register one incorrect login per account.
Can anyone give me some suggestions to make the disable account more secure ?
A few ideas:
You can keep a history of the IP address(es) that have historically been used to login to a given account. The lockout mechanism can be helpful, but be a little more lenient on those recognized addresses to avoid making a user’s bad day worse.
For the other situation with one IP trying the same password on many accounts, keep track of whether the same IP address has had a number of invalid attempts on different accounts, and lock out that IP for an hour or so.
In the case of a botnet using many IPs to try the same password on many accounts, keep track of whether there has been a barrage of IP addresses attempting the same password. If so, temporarily make it so that password must be entered twice in a row even if it’s correct. (Normal users will just think they mistyped their password.)
As mentioned, if an attack is detected, temporarily require a captcha or some other security question (in addition to pretending a valid password was incorrect on the first try). While captcha-reading tools are possible, I don’t think they’re prevalent just yet, and OCR requires a lot of CPU time.