Login Attempt Limits: Best Practice

TL;DR

Yes, limiting login attempts is a good idea for cyber security. Three attempts is often a sensible starting point, but the best number depends on your system and users. This guide explains how to implement it effectively.

How Login Attempt Limits Help

Limiting failed login attempts helps protect against:

• Brute-force attacks: Where attackers try many passwords quickly.
• Dictionary attacks: Using lists of common passwords.
• Credential stuffing: Trying stolen usernames and passwords from other sites.

Implementing Login Attempt Limits

Here’s how to set up login attempt limits, covering different approaches:

1. Server-Level Configuration (e.g., Linux)

Many servers have built-in tools. For example, using fail2ban on Linux is a common approach.

1. Install fail2ban:

sudo apt update && sudo apt install fail2ban

2. Configure for SSH (example): Edit the jail configuration file, usually /etc/fail2ban/jail.local or create a new config in /etc/fail2ban/jail.d/ssh.conf

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
maxretry = 3
bantime = 600 # Ban for 10 minutes (seconds)

3. Restart fail2ban:

sudo systemctl restart fail2ban

4. Check status:

sudo fail2ban-client status sshd

2. Web Server Configuration (e.g., Apache, Nginx)

Web servers often have modules or features for rate limiting.

• Apache: Use mod_evasive or mod_security. These require configuration within your Apache virtual host files.
• Nginx: Use the limit_req_zone and limit_req directives in your server blocks.

Note: Web server configurations are complex and depend on your setup. Consult specific documentation for details.

3. Application-Level Implementation

This is the most flexible approach, done within your website or application code (e.g., PHP, Python, Node.js).

1. Track Failed Attempts: Store failed login attempts per username/IP address in a database or cache (Redis is good for speed).
2. Implement a Limit: Before allowing a login attempt, check the number of recent failures.
   • If attempts exceed the limit (e.g., 3), block further attempts for a period (e.g., 5 minutes).
   • Consider locking the account entirely after repeated failures.
3. Example (Conceptual PHP):

= $maxAttempts) {
  echo 'Account locked. Try again later.';
  exit();
}

// Validate login...
if (/* Login failed */) {
  $attemptCount++;
  $_SESSION[$attemptsKey] = $attemptCount;
  echo 'Invalid username or password.';
}
?>

4. Multi-Factor Authentication (MFA)

While not a direct replacement for attempt limits, MFA significantly reduces the risk of successful attacks even if passwords are compromised.

Important Considerations

• Lockout Duration: Choose a lockout duration that balances security with user convenience.
• Account Recovery: Provide a clear account recovery process (e.g., email reset) for locked accounts.
• IP Blocking vs. Account Locking: IP blocking can affect legitimate users sharing an address; account locking is generally preferred.
• Logging and Monitoring: Log failed login attempts to identify potential attacks and monitor system health.
• Rate Limiting: Consider rate limiting overall requests, not just logins, to prevent denial-of-service (DoS) attacks.