Daevid Vincent wrote:

Similarly, I could adjust my brute force attack to sleep() a pre-determined
amount of time too ;-)

Uhmmm.. how effective is a brute force attack where you can only try one combination per second? It's going to take you a while to get through that dictionary.

The whole 'sleep()' idea just seems silly. I agree with Jason. Just validate
and be done. A better way to stop attacks is to have a tally of failed
logins if you really are that worried someone is going to brute-force you.
Then after 3 fails, just don't let that IP connect or add other intelligent
handling. Maybe add them to a 'ban list' after x amount of failed tries. You
can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever.

You can still do this on top of the sleep() method. A one second wait is n't going to affect you when you log in to an application.

The problem with reacting after three failed logins is that it can then be easy to lock other people out of their account. You just have to figure out their username, which usually isn't that hard. Since IP addresses can be spoofed or shared among users of certain ISPs, relying on them isn't adequate, either.

I'm not saying using sleep is "the solution" to security problems, but it can be one layer of your defense.

---John Holmes...

Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/

php|architect: The Magazine for PHP Professionals – www.phparch.com

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to