由于登录失败3次而禁用帐户 [英] Disable Account due to Login 3 times failed

问题描述

最近我读了一篇有关防止暴力攻击的文章.它说自动禁用用户帐户是抵御字典攻击的安全性差的机制.首先，如果攻击者可以通过每30分钟错误地猜测三次密码来禁用帐户，则可以有效地阻止该用户访问系统.其次，因为此技术假定攻击者将用户名保持不变并更改密码.如果攻击者改为保持密码不变并更改用户名怎么办?我们已经知道，很大一部分用户使用诸​​如密码"之类的通用密码.黑客使用字典攻击可以为用户名列表中的每个用户尝试密码"，这不仅有很大的成功机会，而且还可以逃避帐户锁定逻辑.攻击者可能进行数千次登录尝试，即使每次尝试均失败，系统也只会为每个帐户注册一次错误的登录.

Recently i read an article is about prevent brute-force attack. It said that automatically disabling user accounts is a poor security mechanism to fight a dictionary attack. In the first place, If an attacker can disable an account by incorrectly guessing its password three times every 30 minutes, he can effectively prevent that user from ever accessing the system. In the second place, because this technique assumes that the attacker is keeping the username constant and varying the password. What if the attacker instead kept the password constant and varied the username? We already know that a large percentage of users use common passwords like "password". A hacker using a dictionary attack could try "password" for each of the users in his username list, which would not only have a high chance of success, but would also evade the account lockout logic. An attacker could make thousands of login attempts, and even if every one of them failed, the system will only register one incorrect login per account.

任何人都可以给我一些建议，以使禁用帐户更安全吗?

Can anyone give me some suggestions to make the disable account more secure ?

推荐答案

一些想法:

1. 您可以保留历史上用于登录给定帐户的IP地址的历史记录.锁定机制可能会有所帮助，但对那些公认的地址要宽一些，以免使用户的不良日子变得更糟.

1. You can keep a history of the IP address(es) that have historically been used to login to a given account. The lockout mechanism can be helpful, but be a little more lenient on those recognized addresses to avoid making a user's bad day worse.

对于另一种情况，如果一个IP在多个帐户上尝试使用相同的密码，请跟踪相同的IP地址是否对不同的帐户进行了多次无效尝试，并将该IP锁定一个小时左右.

For the other situation with one IP trying the same password on many accounts, keep track of whether the same IP address has had a number of invalid attempts on different accounts, and lock out that IP for an hour or so.

如果僵尸网络使用许多IP在许多帐户上尝试相同的密码，请跟踪是否有大量IP地址尝试使用相同的密码.如果是这样，请暂时进行设置，以便即使正确，也必须连续两次输入密码. (普通用户只会认为他们输入了错误的密码.)

In the case of a botnet using many IPs to try the same password on many accounts, keep track of whether there has been a barrage of IP addresses attempting the same password. If so, temporarily make it so that password must be entered twice in a row even if it's correct. (Normal users will just think they mistyped their password.)

如前所述，如果检测到攻击，则暂时需要验证码或其他安全问题(除了假装有效密码在第一次尝试时是不正确的).虽然可以使用验证码读取工具，但我认为它们尚不普及，OCR需要大量的CPU时间.

As mentioned, if an attack is detected, temporarily require a captcha or some other security question (in addition to pretending a valid password was incorrect on the first try). While captcha-reading tools are possible, I don't think they're prevalent just yet, and OCR requires a lot of CPU time.

这篇关于由于登录失败3次而禁用帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！