search

cypht-org / cypht

Cypht: Lightweight Open Source webmail aggregator [PHP, JS]
http://cypht.org
GNU Lesser General Public License v2.1
949 stars 147 forks source link

Create a brute force login protection module set #94

Open jasonmunro opened 8 years ago

jasonmunro commented 8 years ago

lots of great ideas on this here: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks

marclaporte commented 2 months ago

@Danelif please advise.

Danelif commented 2 months ago

Alright

Danelif commented 2 months ago

I have read this article carefully https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks and found it very relevant. But some techniques are not included in it. If we want to create brute-force login protection, consider including the (2-3) FA technique (2-3 Factor Authentication). The user might provide a unique OTP sent to his email address or mobile phone once the username/password is correct. Also, The limitation of attempting to log in can be considered from a single IP address. If the limit is reached we can suggest the user to recover it password by emailing an OTP to the email in our database.

marclaporte commented 2 months ago

@Danelif Thank you, please look at how it is done in Tiki to get some more good ideas.

Danelif commented 1 month ago

@marclaporte In tiki 2FA is done using Google2FA php library. Good idea indeed. Instead of using OTP, in Tiki, we use TOTP. But the only problem is that there is not much documentation and usage I wonder why?

marclaporte commented 1 month ago

Some docs:

TOTP uses time, so the code changes every 30 seconds.