comment on

Be aware that attackers can use the lockout feature to cause a denial of service attack.

This is why I think it's better to make the system slow down instead of just barring access. After one unsuccessful login, make them wait a second before trying again. After two, make them wait three seconds. After another, nine seconds, and so on. This prevents brute-force attacks by making them time-prohibitive while not noticeably slowing down a legitimate user who can't remember which of his three passwords he used for your service.

Take a look at Tie::Scalar::Decay for an easy way of implementing it. I suggest putting Tie::Scalar::Decay values into a hash which is keyed by the IP address from which the login attempts are coming, and the username they're trying to authenticate as.

In reply to Re^2: Why do you have to worry about Brute Force Attacks? by DrHyde
in thread Why do you have to worry about Brute Force Attacks? by Anonymous Monk

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.