All geek questions in one place

Brute force attack failsafe login in asp.net

I just read an article that says passwords with 7 characters are no longer secure. However, if the server increases the time it takes to retry after each login attempt, brute force attacks are futile. How do you create such logic in asp.net? For some reason, I assume that the server-side code should remember the ip address that was trying to log in and should increase the response time with each new attempt?

+3
source share
4 answers

An IP address is not a reliable way of identifying a user. You might try to save the last time a login attempt was sent to a cookie, but if the browser does not accept them, this will be limited use. Session variables also require cookies, so they are missing.

Some sites (yahoo comes to mind) start showing Captcha form after the third attempt. You must correctly answer the captcha in addition to your registration data.

Another option is to disable the account after unsuccessful X attempts (which can be tracked in your database), but I personally don’t like it, because it tends to force me to call someone to get my password reset when I forget one.

+4
source

. , , "" .

+2

ASP.NET , . maxInvalidPasswordAttempts Membership.

7 - ( 7 char ), , .

7 8 , : " ", SSL- . . 8 9 ? , . , - .

ASP.NET , .

ASP.NET Membership , :

  • HTTPS
  • CSRF
  • - ASP.NET , IIS, ASP.NET
  • , (CAPTCHA)

. OWASP

+2

, , :

  • . , . CAPTCHA ( , ).
  • . , () 3 , . CAPTCHA IP , IP- ( X-Forwarded-For - ). ; /, IP-.
  • . 50 (NTLM MD4, ), 8- (8 log 2 (94) - 52.4).

try-per-IP , . bucketize ( 10 , 10 ). , , IP-, , , IPv4 ()/24.

, cookie , , (128- ). "" , cookie (, 3 cookie, IP- ). , , , CAPTCHA, .

In general, it is more useful to talk about password entropy than password length and "character types" - I am pretty sure that almost everyone simply makes the first capital of the letter and sticks one at the end. I also do not see any human-like password generators that also determine the entropy of passwords.

+1
source

Source: https://habr.com/ru/post/1760617/

More articles:


All Articles