Brute force attack

Hi there,
How can I protect the username & password fields against brute force attack in ASP page?

Thank you

 

Possibly the best way to prevent brute force attacks on your login screen is to do an account lockout after x failed attempts. You can block on IP or on account.

Also, its wise to sanitize your inputs to prevent SQL injection.
(read me) if you care.

 

With many thanks for your reply. Is there any script or tutorial in this regard?

 

Here's a good article describing brute force attacks in general and the pros and cons of locking out an account:

https://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php

It should give you ideas on alternative methods as well.

As far as implementation, I don't know of any samples or pre-existing code. You can search google for that. But I can give you a basic idea of what you can do (just an option).

1. Cleanse all your data before it is submitted. You can do this with functions in your ASP code. Make sure your usernames and passwords are X amount of characters and either numeric or non numeric.

2. When a visitor tries to login, grab their IP address and store that into a temporary Sessions table. On each login failure, store the IP address in that temp table. After x failed attempts, move that IP into a new table for locked accounts. If the login attempt is successful, then clear the records on the temp table.

3. Once an account is banned, you can simply disable access to the login portion of the site.

You can add code to clear out bans after a certain duration.

Hope this helps. Good luck.

 

The points you mentioned were effective and very useful for me.
Your help is highly appreciated.

 

blocking via IP address has advantages and disadvantages. for example, i wrote a script for our vendors to use to log in and check their order status/tender a new order etc., and there are several people in my building (corporate hq with over 600 employees) who access the internet via a single connection. i think it's a T3. anyway, the way they have it set up, to the outside world, we all look like we've got the same IP addresses. to make a long and most likely duller-by-the-word story short, anytime ONE person in the building got their account "locked out", everyone in the building got "locked out" as well, which as you can imagine, posed significant problems, as I myself found.... myself (austin powers flashback there) locked out as well unfortunately and had to go directly to the DB to reset the flag on the IP address and let myself back in.

So if you're going to do this, you MAY (or may not, consider your specific needs and client base) need to consider locking out a combination of username AND IP address. Also, seriously consider a 3-strikes you're out type thing, as well as a 15 minute (arbitrary amount, make it 10 or 30 or whatever) until the account is automagically "unlocked". that way you're not having to wake up at 3 am and let your boss in to the system (why do bosses always do their work at 3 am?) a 10-15 minute delay in the auto-re-enabling the account will protect you from brute force attacks. Brute force attacks = several thousand attempts a minute. Whereas 3 tries every 15 minutes will take a LONG DAMN TIME to crack the code, even for Dan Brown. ESPECIALLY if Ron Howard is directing it.

HTH

VG