On Thu, May 6, 2010 at 2:08 PM, John Campbell <jcampbe...@gmail.com> wrote:
> Use bcrypt. It is tunable so can make it so each hash check takes .1 > seconds. This makes a dictionary attack a huge pain in the ass, but > your login page will still be plenty responsive. > This is excellent advice. You can also make your login routine require a valid session cookie and sleep() for a second or two, though that ties up a server process. I believe the mod_security apache extension will also identify and prevent brute-force attacks without DOSing your clumsy, forgetful users. _______________________________________________ New York PHP Users Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/Show-Participation
