rash805115
commented
11 years ago Hello,
Simple Definition of Brute Force: A brute force is when numerous failed login attempts are made in a time that is not possible by a human.
Now please note that WE cannot define the capabilities of humans. Thus, it is wrong that you are defining two login attempts in "1 sec" or 5 attempts in "25 sec". This should be set by developer. Now, you are essentially saying we should separate time_between_two_consecutive_request AND max_login_Attempts, but we cannot do that they both need to be satisfied to be qualified for preventing false positives.
Now, I see that you added FIRST_LOGIN_ATTEMPT, but what is its use and what do you consider the first attempt ?? Is the first attempt when user created their account, or is first attempt is the morning when I type my password to check my mails....or is the first attempt is the attempt that is just after the time between two login attempts ??
On Mon, Sep 2, 2013 at 10:30 AM, Shivam Dixit notifications@github.comwrote:
We are defining brute force if two consecutive login attempts are made in very short span of time (say 1 second) or many request are made in specified time (For example if 5 request are made within 25 seconds) then it will be a brute force.
To correctly define isBruteForce function, we will require one more column FIRST_LOGIN_ATTEMPT in the table PASSWORD. Firstly we will check time between two consecutive request, if it is less than bruteForceLockTimePeriod then this function will return true. If time between two consecutive request is more than 1 seconds (value of bruteForceLockTimePeriod) however more than 5 attempts are made within
bruteForceLockAttemptTotalTime then it will be a brute force.
You can merge this Pull Request by running
git pull https://github.com/shivamdixit/phpsec master
Or view, comment on, or merge it at:
https://github.com/OWASP/phpsec/pull/64 Commit Summary
- Added FIRST_LOGIN_ATTEMPT column in DB and modified isBruteForce function
- Corrected the value of bruteForceLockAttemptTotalTime
File Changes
- M SQL/OWASP.sqlhttps://github.com/OWASP/phpsec/pull/64/files#diff-0(120)
- M libs/auth/adv_password.phphttps://github.com/OWASP/phpsec/pull/64/files#diff-1(36)
Patch Links:
Regards, Rahul Chaudhary Ph - 412-519-9634
We are defining brute force if two consecutive login attempts are made in very short span of time (say 1 second) or many request are made in specified time (For example if 5 request are made within 25 seconds) then it will be a brute force.
To correctly define isBruteForce function, we will require one more column FIRST_LOGIN_ATTEMPT in the table PASSWORD. Firstly we will check time between two consecutive request, if it is less than bruteForceLockTimePeriod then this function will return true. If time between two consecutive request is more than 1 seconds (value of bruteForceLockTimePeriod) however more than 5 attempts are made within bruteForceLockAttemptTotalTime then it will be a brute force.