rash805115
commented
11 years ago Hello Shivam,
Nice point. However, consider this. You cannot flag a brute force if 2 attempts were made within 5 sec. The reason is that suppose I increase the time to 30 sec. Then definitely two attempts can be made in 30 sec. So, we need to count the number of times the login attempt has been made in this time period. Once the maximum login attempts have been maxed out, we are then certain that it is indeed a brute force attack.
P.S.: Sorry for the late response. I was travelling.
On Mon, Sep 2, 2013 at 9:02 AM, Shivam Dixit notifications@github.comwrote:
isBruteForce must return "TRUE" if time between two consecutive attempts is less than "bruteForceLockTimePeriod" , but according to the definition it will return TRUE only when time when last login attempt is less than bruteForceLockTimePeriod as well as total login attempts have exceeded bruteForceLockAttempts. Below is one of the definitions of "Brute Force" described in the class :
public static $bruteForceLockTimePeriod = 5; //5 SEC - This defines the time-period after which next login attempt must be carried out. E.g if the time is 5 sec, then time-period between two login attempts must minimum be 5 sec, otherwise it will be considered brute-force attack.
— Reply to this email directly or view it on GitHubhttps://github.com/OWASP/phpsec/issues/63 .
Regards, Rahul Chaudhary Ph - 412-519-9634
isBruteForce must return "TRUE" if time between two consecutive attempts is less than "bruteForceLockTimePeriod" , but according to the definition it will return TRUE only when time when last login attempt is less than bruteForceLockTimePeriod as well as total login attempts have exceeded bruteForceLockAttempts. Below is one of the definitions of "Brute Force" described in the class :
public static $bruteForceLockTimePeriod = 5; //5 SEC - This defines the time-period after which next login attempt must be carried out. E.g if the time is 5 sec, then time-period between two login attempts must minimum be 5 sec, otherwise it will be considered brute-force attack.