1

I want to prevent hackers to break into my users' accounts. It is often said that:

The best approach it to lockout an account temporarily after x failed login attempts.

I understand this and it seems like a good idea. Using IP for example is a very bad idea - there is at least one whole country NAT'ed in Asia, so IP's cannot be used for anything.

Unfortunately there comes a real issue with lockout. It reveals the info whether the account exists or not. We don't want to do this, that is why we always write "email and password do not match" or something like this.

I can't lockout non-existing accounts - otherwise I would have to store info about non-existing accounts with failed login attempts. A botnet then could lead to billions of records in my database - of nonexisting accounts.

What are the possibilities to handle this issue? To prevent brute force attacks and at the same time do not reveal the information whether an account does exist or not?

ebvtrnog
  • 4,167
  • 4
  • 31
  • 59
  • 1
    let them in! Present a fake "welcome, you've logged in page" when there have been sufficient attempts. Then they won't know if it's worked or not! Then discard all activity in that session. – Paul Collingwood Jun 11 '15 at 13:42
  • 1
    In every failure case you should return the same information (e.g. "email and password do not match"). Do not return any info if the account is locked. If you needed to lock an account you can send an email to that email attached to that account. Then the real user would get the info, but an attacker would not. – Werner Henze Jun 11 '15 at 14:19
  • 1
    @PaulCollingwood - Whilst it's a *witty* method, I do see it possibly causing end-user issues – Juxhin Jun 11 '15 at 14:23
  • 1
    apparently it's fairly widely used for some situations - I just can't remember the "proper" name of the technique right now. You'd ofc have to be sure as you say! – Paul Collingwood Jun 11 '15 at 15:13
  • @juxhin That's the point. You cannot have it both ways. If users cannot get there password correct they get locked out UX and security do not mix. A great user experience is no login page. – TheArchitecta May 26 '20 at 14:58

2 Answers2

3

My team just tackled this exact same problem and, given how ultimately simple our solution was, it was a long road to get there.

There are so many factors that need to be taken into consideration here, most of which you have already covered. Luckily for us, all the DDoS/DoS stuff is handled by our IaaS provider so we didn't have to worry about any of that. My first recommendation would be if you aren't using such a service I recommend that you do, implementing this stuff correctly is not trivial.

With all the infrastructure being handled for us, this allowed us to focus on the application itself. Our first instinct was to look at a lockout approach, however, after some discussions and even just a simple walk through of how it would work, implementation etc. we found so many potential pitfalls in it (the IP one you mentioned being one) we decided to abandon it.

We then asked the question "what exactly is it we are trying to do here?", ultimately we want to prevent brute force attacks by both bots & hackers but at the same time maintain a good UX for genuine users....when the penny dropped we actually couldn't believe how simple it was - use a Captcha.

The implementation is pretty simple, after X failed attempts we add a Captcha to the form and force the user to verify this along with their credentials. We felt this gave us the best balance between security & usability because:

  • We don't further frustrate genuine users by locking them out and making them wait even longer to access our service
  • We will most likely prevent the majority automated/bot brute-force attempts e.g. dictionary attacks.
  • We further reduce the chances of DoS by throttling login requests
  • We slow down malicious users to the point where they think "is it really worth the time?"
James
  • 80,725
  • 18
  • 167
  • 237
  • My I ask what IaaS solution your company opted for? - Other than that, I do agree with the Captcha implementation (however may be bypassed by hardcore hackers) – Juxhin Jun 11 '15 at 14:19
  • @Juxhin we use Microsoft Azure. A Captcha by all means is not a full proof solution but given our risk analysis it was the best all-round approach. With regards to "hardcore hackers", if they were to bypass the Captcha based on rate limiting they would eventually get blocked by the Azure Load Balancer. – James Jun 11 '15 at 15:00
  • @James Thank you for your answer. I indeed thought of Captcha as well, but it comes with a pitfall too - how to detect X failed attempts to login on a non-existing account? – ebvtrnog Jun 11 '15 at 15:34
  • @Randolph well there are a number of ways, the simplest way is to store a cookie client-side to record the number of failed login attempts for that particular client, this circumvents the "my entire office has the same IP" problem. The other alternative if you wanted to have it server-side would be to just track failed login attempts against that specific username. – James Jun 11 '15 at 15:40
  • But each of them has pitfalls as well - scenario one: a hacker could clear the session cookie client-side, scenario two: to track failed login attempts against a specific username, I need to store them all. A hacker performing a botnet attack could fill up my database with billions of non-existing usernames I need to go through each time. – ebvtrnog Jun 11 '15 at 15:45
  • @Randolph yep both of these scenarios are a possibility, however, again I re-iterate it's about striking the balance between security & usability. You would be expiring records after X minutes anyway so chances of it getting to thousands let alone billions isn't likely, however, you could partition/index it in such a way lookups are quick, even with billions of records. Ultimately, it's your system so you must decide on what's more important, in our case it made much more sense to be a bit more lax (not insecure) and cater for the realistic cases rather than the minority. – James Jun 11 '15 at 15:56
  • @James - I apologize for deviating from your original answer however it's something that I find very important in big companies. Have you tried any other solutions, maybe a DaaS? If so, have you noticed great difference in effectiveness between IaaS VS DaaS? (Granted it's Apples VS Oranges) – Juxhin Jun 11 '15 at 18:08
  • @Juxhin I'm not really sure what you are asking here because, as you say, they are completely different with regards to what problems they solve. If you have a more specific question then I could perhaps try give you a more appropriate answer. – James Jun 11 '15 at 18:20
  • CAPTCHAs are a dying technology. One not well publicised alternative to CAPTCHAs and timed lockouts is [here](https://www.covata.com/blog/defending-password-attacks-without-captchas/), assuming you have access to the user's email address, but it can be enhanced in a number of ways. For example, consider a hybrid between that link and [this](http://people.scs.carleton.ca/~paulv/papers/att-revisited-13feb2011.pdf). – TheGreatContini Jun 11 '15 at 22:24
  • @TheGreatContini none of those links work, however, I presume the point you are trying to make is Captchas are becoming redundant? Yeah, from a UX PoV there are better alternatives (Googles recaptcha being one). However, given the context & usage of them here making it easier is counter productive....we want to make it difficult for users because if someone gets to the point where they are hitting the Captcha they've either forgotten their password or their trying to hack an account - either way, we want to throttle the login attempts. – James Jun 11 '15 at 22:39
  • That's odd: the links work for me. The point I am trying to make is that computers are doing better than humans at CAPTCHAs, so their future is limited (both from security and usability viewpoints). This is a bit forward looking, but anyway, if you want a better balance of security versus usability, see: "Revisiting Defenses Against Large-Scale Online Password Guessing Attacks" by Paul van Oorschot et al. Alternatively (simpler), look at "Steam Guard". – TheGreatContini Jun 12 '15 at 02:18
  • @TheGreatContini I was using the SE app last night and those links didn't appear to render correctly, I got a look at them this morning though, thanks. It's a fair point to make, however, I'm not convinced that Captcha's are quite on their way out just yet. Even with reCaptcha Google still use a standard Captcha as a fallback. The email approach is certainly an option, and one we did consider, but ultimately we had to go with one and Captcha seemed to be the most tried & tested with the least amount of work. We may revisit this in the future should it turn out ineffective, only time will tell. – James Jun 12 '15 at 09:06
  • To be honest, I don't expect CAPTCHAs to disappear overnight, but gosh is the world going to be a better place once we have a friendlier replacement that does not sacrifice security :-) – TheGreatContini Jun 12 '15 at 12:02
1

Two points:

Locking the account does not signal anything; it only means that even the correct authenticator can't login. You don't reply "OK, that was the right password but your account is locked," you continue to reply "Incorrect name/password combination" as before. The real user, with the real authenticator, will either wait ten minutes for the reset or call the help desk for a manual reset. The brute force attacker will continue to try other passwords.

Assuming a remote attack, after three (or five, or whatever you deem appropriate) unsuccessful name/password combinations, drop the connection. That's whether the account exists or not, the password correct (and account locked) or incorrect. Again, no useful information to the attacker, minor inconvenience (reconnect) to the forgetful or typo-prone authorized user.

mpez0
  • 2,815
  • 17
  • 12
  • I think I should just keep track on the login attempts of a correct username with wrong password. Otherwise I cannot save the failed login attempts for a user. Is that true? – Jack Aug 11 '21 at 20:46
  • 1
    @Rosa yes, if the username is wrong you cannot be sure which correct account, if any, should be assigned as relevant. – mpez0 Aug 12 '21 at 16:56