I have created a login module on my website. I was able to deal with simple brut

Question

I have created a login module on my website. I was able to deal with simple brute force attacks since I can identify the user based on username/email and throttle their login based on failed login attempts per user account.

But when it comes to user-enumerated brute-force attacks (a.k.a. Reverse brute force attacks), identifying the user becomes pretty hard. Throttling the login based on failed attempts per IP address might not work well and annoy the users connected to the Internet through a local network since they'll have same external IP address, as they might face throttle due to failed attempts made by someone else on the network.

Is there a way to uniquely identify such users?

Explanation / Answer

There isn't a non-spoofable method to my knowledge. If you already throttle the max amount of attempts to eight tries per minute with a one minute time-out. A one minute time out is generally not considered annoying as long as you give enough information to the user.

Make sure to actively review these occurences where there are suspected bruteforces from an IP address as it might be interesting to investigate who's trying to bruteforce you.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects