PHP prevents brute force password cracking

A brute-force attack is an attack that does not use any special means to exhaust various possibilities. It is more officially called a brute-force attack-a variety of possible attacks.

For access control, a typical violent attack is that attackers attempt to log on to the system through a large number of attempts. In most cases, the user name is known, but you only need to guess the password.

Although there is no skill in brute-force attacks, Dictionary attacks seem to be skillful. The biggest difference is intelligence in making guesses. Dictionary attacks only list the most likely cases, but do not list all possible situations as they are violent attacks.

Preventing verification attempts or limiting the number of allowed errors is an effective security measure, however, the dilemma lies in how to identify and block attackers without affecting the use of Valid users.

In this case, the determination of consistency can help you distinguish the two. This method is similar to the previous practice of preventing session hijacking, but the difference is that you need to determine whether an attacker is not a legal user.

Consider the following HTML form:

<Form action = "http: // www.2cto.com/login. php" method = "POST">
<P> Username: <input type = "text" name = "username"/> </p>
<P> Password: <input type = "password" name = "password"/> </p>
<P> <input type = "submit"/> </p>
</Form>
Attackers can view this form and create a script to POST valid data to http://example.org/login.php:

<? Php

$ Username = 'victim ';
$ Password = 'Guess ';

$ Content = "username = $ username & password = $ password ";
$ Content_length = strlen ($ content );

$ Http_request = '';
$ Http_response = '';

$ Http_request. = "POST/login. php HTTP/1.1 \ r \ n ";
$ Http_request. = "Host: example.org \ r \ n ";
$ Http_request. = "Content-Type: application/x-www-form-urlencoded \ r \ n ";
$ Http_request. = "Content-Length: $ content_length \ r \ n ";
$ Http_request. = "Connection: close \ r \ n ";
$ Http_request. = "\ r \ n ";
$ Http_request. = $ content;

If ($ handle = fsockopen ('example. org ', 80 ))
{
Fputs ($ handle, $ http_request );

While (! Feof ($ handle ))
{
$ Http_response. = fgets ($ handle, 1024 );
}

Fclose ($ handle );

/* Check Response */
}
Else
{
/* Error */
}
 
?>
With this script, attackers can simply add a loop to try different passwords and check the $ http_response variable after each attempt. Once the $ http_response variable changes, you can guess the correct password.

You can use many security measures to prevent such attacks. We have noticed that in a brute-force attack, each HTTP request has different passwords and the other parts are identical, which is very valuable.

Although temporary account freezing after a certain number of failed attempts is an effective precaution, you may consider using a more definite method to freeze accounts, in this way, attackers can minimize the impact on the normal use of your applications by legal users.

Some other procedures can also increase the difficulty of brute-force attacks, making it unlikely to succeed. A simple containment mechanism can effectively achieve this:

<? Php

/* Mysql_connect ()*/
/* Mysql_select_db ()*/

$ Clean = array ();
$ Mysql = array ();

$ Now = time ();
$ Max = $ now-15;

$ Salt = 'shiflett ';

If (ctype_alnum ($ _ POST ['username'])
{
$ Clean ['username'] =_ _ POST ['username'];
}
Else
{
/*...*/
}
$ Clean ['Password'] = md5 ($ salt. md5 ($ _ POST ['Password']. $ salt ));
$ Mysql ['username'] = mysql_real_escape_string ($ clean ['username']);

$ SQL = "SELECT last_failure, password
FROM users
WHERE username = '{$ mysql ['username']}' ";

If ($ result = mysql_query ($ SQL ))
{
If (mysql_num_rows ($ result ))
{
$ Record = mysql_fetch_assoc ($ result );

If ($ record ['last _ failed']> $ max)
{
/* Less than 15 seconds since last failure */
}
Elseif ($ record ['Password'] = $ clean ['Password'])
{
/* Successful Login */
}
Else
{
/* Failed Login */

$ SQL = "UPDATE users
SET last_failure = '$ right'
WHERE username = '{$ mysql ['username']}' ";

Mysql_query ($ SQL );
}
}
Else
{
/* Invalid Username */
}
}
Else
{
/* Error */
}

?>
The previous session limits the frequency of trying the same user after the last verification failed. If you try again within 15 seconds after an attempt fails, the verification will fail no matter whether the password is correct or not. This is the key point of this solution. However, it is not enough to block access within 15 seconds after a failed attempt. At this time, no matter what the input is, the output will be the same. It will be different only after the login is successful. Otherwise, the attacker simply checks the inconsistent output to determine whether the logon is successful.