Tuesday, November 5, 2024

Protecting Your Site from Brute Force

On a website with the ability for users to logon, it is a good idea to have some sort of password policy.

The most widely used contains minimum requirements for the length of the password and that the individual characters must be a mixture of numbers, letters and special characters. This is pretty much standard and they make it much more difficult to break into your system.

Eventually, these passwords will be broken and for a brute force robot it’s only a matter of time. That’s why it is a good idea to protect against brute force attacks by limiting the number of retries you can take to login if you forget the right password.

I’ve written a few methods that limits the number of retries to 5. When the fifth bad attempt to logon is reached, you are unable to login to the user account for five minutes. No other users are affected, only the one that is being brute forced.

The Code

private int NumberOfLogonAttemps()
{
   if (Cache[txtUserName.Text] == null)
    return 0;
   return (int)Cache[txtUserName.Text];
}
private void ClearLogonCounter()
{
   if (Cache[txtUserName.Text] != null)
   {
    Cache.Remove(txtUserName.Text);
   }
}
private void CountLogonAttempt()
{
   if (Cache[txtUserName.Text] == null)
   {
    Cache.Insert(txtUserName.Text, 1, null, Cache.NoAbsoluteExpiration, TimeSpan.FromMinutes(5));
   }
   else
   {
    int tries = (int)Cache[txtUserName.Text];
    Cache[txtUserName.Text] = tries + 1;
   }
}

Example of use

To use these three methods you have to call them from the logon buttons click event handler.

protected void BtnLoginClick(object sender, EventArgs e)
{
   CountLogonAttempt();
   if (NumberOfLogonAttemps() >= 5)
   {
    Status.InnerHtml = "User has been locked for 5 minutes";
   }
   else
   {
    ClearLogonCounter();
    LogOn();
   }
}

This is very simple to implement and should it be an issue to logon for the users, you can raise the threshold to 10 retries.

Comments

Tag:

Add to Del.icio.us | Digg | Reddit | Furl

Bookmark murdok:

Mads Kristensen currently works as a Senior Developer at Traceworks located
in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in
2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and
web services in his daily work as well. A true .NET developer with great passion for the simple solution.

Home

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles