Quantcast

Protecting Your Site from Brute Force

Get the WebProNews Newsletter:


[ Business]

On a website with the ability for users to logon, it is a good idea to have some sort of password policy.

The most widely used contains minimum requirements for the length of the password and that the individual characters must be a mixture of numbers, letters and special characters. This is pretty much standard and they make it much more difficult to break into your system.

Eventually, these passwords will be broken and for a brute force robot it’s only a matter of time. That’s why it is a good idea to protect against brute force attacks by limiting the number of retries you can take to login if you forget the right password.

I’ve written a few methods that limits the number of retries to 5. When the fifth bad attempt to logon is reached, you are unable to login to the user account for five minutes. No other users are affected, only the one that is being brute forced.

The Code

private int NumberOfLogonAttemps()
{
   if (Cache[txtUserName.Text] == null)
    return 0;
   return (int)Cache[txtUserName.Text];
}
private void ClearLogonCounter()
{
   if (Cache[txtUserName.Text] != null)
   {
    Cache.Remove(txtUserName.Text);
   }
}
private void CountLogonAttempt()
{
   if (Cache[txtUserName.Text] == null)
   {
    Cache.Insert(txtUserName.Text, 1, null, Cache.NoAbsoluteExpiration, TimeSpan.FromMinutes(5));
   }
   else
   {
    int tries = (int)Cache[txtUserName.Text];
    Cache[txtUserName.Text] = tries + 1;
   }
}

Example of use

To use these three methods you have to call them from the logon buttons click event handler.

protected void BtnLoginClick(object sender, EventArgs e)
{
   CountLogonAttempt();
   if (NumberOfLogonAttemps() >= 5)
   {
    Status.InnerHtml = "User has been locked for 5 minutes";
   }
   else
   {
    ClearLogonCounter();
    LogOn();
   }
}

This is very simple to implement and should it be an issue to logon for the users, you can raise the threshold to 10 retries.

Comments

Tag:

Add to Del.icio.us | Digg | Reddit | Furl

Bookmark WebProNews:

Mads Kristensen currently works as a Senior Developer at Traceworks located
in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in
2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and
web services in his daily work as well. A true .NET developer with great passion for the simple solution.

http://www.madskristensen.dk/

Protecting Your Site from Brute Force
Comments Off
About Mads Kristensen
Mads Kristensen currently works as a Senior Developer at Traceworks located in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in 2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and web services in his daily work as well. A true .NET developer with great passion for the simple solution.

http://www.madskristensen.dk/ WebProNews Writer
Top Rated White Papers and Resources

Comments are closed.

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom