#15 Lock user after n failed attempts to log in.

open
nobody
None
5
2010-06-18
2010-06-18
Badda
No

Currently, passwords can be brute-forced by a remote attacker by trying to log in with guessed passwords until success.
This can easily be prevented by introducing a (configurable) limit to the failed login attempts. After that, the user cannot log in anymore and a phpshell-admin must unlock the user (e.g. by editing a value the config.php-file)
This would be my idea of implementing:
- introduce new value in config.php [settings]-sectinf: max-login-attemps. Here the admin can specify the number of failed login-attemps after which the user is locked.
- A number is recorded and kept for each user that states the current amount of failed logins
- if this number is equal or larger than max-login-attemps the user cannot log in at all
- this number is increased by one after each failed login-attempt for this user
- this numer is set to zero after a successful login
- after a successful or failed login, the number of failed login-attempts will be shown to the user

This would new feature would greatly increase security of the script

Discussion

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks