Namnodorel
commented
7 years ago I'd suggest using reCAPTCHA for this one (maybe after 3 failed login attempts on an account within an hour). It it is easy to implement it, it works good and is a good choice in terms of UX because so many other websites use it that it has a known, consistent look for the user. If I see the reCAPTCHA-field, I immediately know what is expected from me.
Hello, I installed Luna "Cornflower Blue Preview 1" on my Localhost ( Wamp server ), My administrator account info was: "Username: Administrator, Password: 75144920" And I wanted to test Luna in defense about Brute Force Attacks, But when I started cracking administrator's password on login page ( at index.php ) I didn't saw any defenses about Brute Force and Luna supported password cracking attack, I wondered and I looked for any setting for this section but I found nothing... This is very very important because most users doesn't use a strong password like me and It will be DANGEROUS. Attack Information: Attacker: HP Pavilion G6 At Localhost (Offline Mode) Host Software: Luna Cornflower Blue Preview 1 Browser Agent: Mozilla FireFox V.41 Add-On for BruteForce: FireForce Result: If I was continue, I'm sure password will found.... smile
Best solve: Sent a number ID with login request ( That will add in every try to login ) and save it in a session or Database, If this number be was equal to 5, Luna make a captcha or doesn't agree to login in 30seconds. Like this form: <?php
By: Mohsen Nirouzad
$pre_tries=$_REQUEST["login_tries"]; $tries=$pre_tries+1; ?>
MyBB uses this way for defense Brute Force Attacks too... I think I sent too much requests to Luna Support, Don't be angry Yannick! big_smile