2

Can any one please let me know about the term "Account Lockout"? and how do i implement it on PHP. The below information i got from one of the web site security/audit tool called "ACUNETIX".

Description

"A common threat web developers face is a password-guessing attack known as a brute force attack. A brute force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers and symbols until you discover the one correct combination that works.

This login page does not have any protection against password-guessing attacks(brute force attack). Consult Web references for more information about fixing this problem.

Impact

An attacker may attempt to discover a week password by systematically trying every possible combination of letters, numbers and symbols until it discovers the one correct combination that works.

Recommendation

It's recommended to implement some type of account lockout after a defined number of incorrect password attempts."

Prabhu M
  • 2,852
  • 8
  • 37
  • 54

2 Answers2

1

Account lockout is password policy that may be used to lock user accounts after too many failed bind attempts. Once an account has been locked, that user will not be allowed to authenticate.

you can look on this php example

http://www.weberdev.com/get_example-1380.html

you need to save in the db how many times the user try and fail to login,

after 3 times , you block the user from enter your site

Haim Evgi
  • 123,187
  • 45
  • 217
  • 223
1

OpenID

You SHOULD not create login system yourself but use OpenID(LightOpenID is a very good openid library for php). The good openid providers already have measurements against this in place.

CAPTCHA

But if you really want to do it yourself the easiest way to protect yourself against this is validating that user(no automated script) submits your form be using CAPTCHA. In my opinion all the others schemes could have flaws. But some scheme you could also use is let your script sleep on invalid login(increase it with each wrong try).

Community
  • 1
  • 1
Alfred
  • 60,935
  • 33
  • 147
  • 186