The "Good Practices" would be:
- Design usernames which are not predictable or guessable.
- Strong password policy.
- Disable user account after n failed login attempts which are successive.
- You could also consider locking out account for a specified amount of time. For e.g. 30 mins.
- Display generic error messages to user on failed login attempt. E.g. "Authentication Failed - Invalid Username / Invalid Password / Account Locked
- No automatic account lockouts for admin accounts
- Implement CAPTCHA's to prevent bots or automated username/password guessing.
Hi,
ReplyDeleteDo you recommend using CAPTCHA's most of places to prevent lockouts?
Can you black list the IP addresses from where the attacks originate?
ReplyDeleteHello Dharmesh,
ReplyDeleteCAPTCHA's are also of different forms. We need to take care about the physically challenged people also.
@anonymous:
ReplyDeleteYes, CAPTCHA's are suitable in some scenarios to prevent successive permutation of user is or password by automated tools or scripts.
@britt:
ReplyDeleteIt may be a scenario where user is accessing using a common corporate gateway and in that case the gateway IP is logged and if this is blacklisted, all other possible genuine users using that gateway will also be blocked. Also a point to note is IP addresses can easily be spoofed . So an attacker might still attempt brute force by spoofing IP addresses.
@tejinder:
ReplyDeleteYes, CAPTCHA are of many forms. A very nice article can be found at
http://msdn2.microsoft.com/en-us/library/ms972952.aspx
I feel that two factor authentication is the best mechanism.
ReplyDelete@Raju,
ReplyDeleteI agree. I just missed that. Two factor authentication is probably best mechanism to avoid these kinda issues. Thanks for adding this.
additionally, CAPTCHA should be refreshed when submitted user name password is incorrect & T-FA should be used like asking for security answer if first login attempt is failed
ReplyDeleteanilit.blogspot.com