防止暴力登录尝试 [英] Preventing brute-force login attempts
问题描述
我想防止黑客入侵我的用户帐户。人们常说:
I want to prevent hackers to break into my users' accounts. It is often said that:
最好的方法是在
x登录尝试失败。
我理解这一点,这似乎是个好主意。例如,使用IP是一个非常糟糕的主意-亚洲至少有一个国家进行了NAT转换,因此IP不能用于任何用途。
I understand this and it seems like a good idea. Using IP for example is a very bad idea - there is at least one whole country NAT'ed in Asia, so IP's cannot be used for anything.
不幸的是,锁定的真正问题。它显示该帐户是否存在的信息。我们不想这样做,这就是为什么我们总是写电子邮件和密码不匹配之类的原因。
Unfortunately there comes a real issue with lockout. It reveals the info whether the account exists or not. We don't want to do this, that is why we always write "email and password do not match" or something like this.
我无法锁定非-现有帐户-否则,我将不得不存储有关登录尝试失败的不存在帐户的信息。然后,僵尸网络可能会导致我的数据库中存在数十亿条记录-不存在的帐户。
I can't lockout non-existing accounts - otherwise I would have to store info about non-existing accounts with failed login attempts. A botnet then could lead to billions of records in my database - of nonexisting accounts.
有什么可能解决此问题?为了防止暴力攻击并同时不透露帐户是否存在的信息?
What are the possibilities to handle this issue? To prevent brute force attacks and at the same time do not reveal the information whether an account does exist or not?
推荐答案
我的团队只是解决了这个完全相同的问题,并且考虑到我们的解决方案最终多么简单,到达那条路还很漫长。
My team just tackled this exact same problem and, given how ultimately simple our solution was, it was a long road to get there.
有很多因素需要采取考虑到这里,您已经涵盖了大部分。对我们来说幸运的是,所有DDoS / DoS东西都是由我们的IaaS提供商处理的,因此我们不必为此担心。我的第一个建议是,如果您不使用这样的服务,我建议您这样做,正确地实现这些功能并非易事。
There are so many factors that need to be taken into consideration here, most of which you have already covered. Luckily for us, all the DDoS/DoS stuff is handled by our IaaS provider so we didn't have to worry about any of that. My first recommendation would be if you aren't using such a service I recommend that you do, implementing this stuff correctly is not trivial.
所有基础结构都在处理中我们,这使我们能够专注于应用程序本身。我们的第一个直觉是研究锁定方法,但是,在进行了一些讨论之后,甚至只是简单介绍了它的工作方式,实现方式等。我们发现其中存在很多潜在的陷阱(您提到的IP就是其中之一),决定放弃它。
With all the infrastructure being handled for us, this allowed us to focus on the application itself. Our first instinct was to look at a lockout approach, however, after some discussions and even just a simple walk through of how it would work, implementation etc. we found so many potential pitfalls in it (the IP one you mentioned being one) we decided to abandon it.
然后我们问了一个问题: 我们到底打算在这里做什么?,最终我们想防止暴力攻击机器人和黑客,但同时也为真正的用户提供了良好的用户体验……。 rel = nofollow>验证码。
We then asked the question "what exactly is it we are trying to do here?", ultimately we want to prevent brute force attacks by both bots & hackers but at the same time maintain a good UX for genuine users....when the penny dropped we actually couldn't believe how simple it was - use a Captcha.
实现非常简单,在X次尝试失败后,我们将验证码添加到表单中并强制用户进行验证这以及他们的凭据。我们认为这为我们提供了安全性与安全性之间的最佳平衡。可用性的原因在于:
The implementation is pretty simple, after X failed attempts we add a Captcha to the form and force the user to verify this along with their credentials. We felt this gave us the best balance between security & usability because:
- 我们不会通过锁定真实用户并让他们等待更长的时间来访问他们而进一步挫败真实用户 >
- 我们很可能会阻止多数自动化/机器人暴力尝试,例如
- 我们通过限制登录请求来进一步减少DoS的机会
- 我们将恶意用户的速度减慢到他们认为 真的值得吗?
- We don't further frustrate genuine users by locking them out and making them wait even longer to access our service
- We will most likely prevent the majority automated/bot brute-force attempts e.g. dictionary attacks.
- We further reduce the chances of DoS by throttling login requests
- We slow down malicious users to the point where they think "is it really worth the time?"
这篇关于防止暴力登录尝试的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
