Stop Login Brute Force Attacks

TL;DR

Brute force attacks try many usernames and passwords to guess their way into your website. This guide shows you simple ways to make these attacks much harder, protecting your users and your site.

1. Rate Limiting

Rate limiting restricts how often someone can attempt a login from the same IP address or user account. This slows down attackers significantly.

1. Choose a rate limit: A good starting point is to allow 5-10 failed attempts within a 5-minute window per IP address.
2. Implement in your code: Most web frameworks have built-in features or libraries for this. Here’s an example using Python/Flask:

   from flask_limiter import Limiter, RateLimit
   
   app = Flask(__name__)
   limiter = Limiter(app, key=lambda ip: ip)
   
   @app.route('/login', methods=['POST'])
   @limiter.limit("5 per 5 minutes")
   def login():
       # Your login logic here...
   

3. Consider user-specific limits: In addition to IP address limiting, limit attempts per username too.

2. Account Lockout

After a certain number of failed login attempts, temporarily lock the account.

1. Set a lockout threshold: Typically 3-5 failed attempts is reasonable.
2. Lockout duration: Start with a short lockout period (e.g., 15-30 minutes) and increase it for repeated offenses.
3. Store lockout information: Keep track of the number of failed attempts and the time of the last attempt in your database, associated with the username.
4. Implement in code:

   # Example (pseudocode)
   if user_exists(username):
       failed_attempts = get_failed_attempts(username)
       last_attempt_time = get_last_attempt_time(username)
       now = datetime.datetime.now()
   
       if failed_attempts >= MAX_ATTEMPTS and (now - last_attempt_time).total_seconds() < LOCKOUT_DURATION:
           # Account is locked, display an error message
           account_locked = True
       else:
           # Attempt login...
   

3. Strong Password Policies

Encourage or enforce strong passwords to make brute force attacks less effective.

• Minimum length: Require at least 12 characters.
• Complexity requirements: Include a mix of uppercase letters, lowercase letters, numbers, and symbols.
• Password history: Prevent users from reusing recent passwords.
• Regular password updates: Encourage periodic changes (e.g., every 90 days).

4. Captchas

Use CAPTCHAs to distinguish between humans and bots.

• Implement on the login form: Present a CAPTCHA after a certain number of failed attempts or if suspicious activity is detected.
• Choose a reputable CAPTCHA provider: Google reCAPTCHA v3 is a popular option.

5. Two-Factor Authentication (2FA)

Add an extra layer of security by requiring a second verification method.

• SMS codes: Send a code to the user’s phone.
• Authenticator apps: Use apps like Google Authenticator or Authy.

6. Monitor Login Attempts

Keep an eye on login logs for unusual patterns.

• Log IP addresses, usernames, timestamps, and success/failure status.
• Set up alerts: Notify you of a high number of failed attempts from the same IP address or for specific accounts.